My organization has created a URL for a Google Doc for others to share. The URL contains more than 100 characters....
Are there security issues in shortening the URL to six characters? Are there benefits to having long URLs?
Short URLs are designed for convenience, not for security. They contain a domain -- such as goog.le -- and five or six tokens.
Long URLs of 100 tokens or more are difficult to remember. They need to be copied and pasted from an email's message block into the URL address field. However, Twitter, for example, limits its users to 120 characters. Also, it is easier for users to remember a short URL and type it in the URL address field.
Friends and trusted collaborators use short URLs to share Google Docs and Sheets on desktops, tablets and smartphones. Users are not required to use passwords to view and edit these files. When using mapping services, users share locations and directions between, for example, home residences and medical facilities or physician offices.
An attacker can scan short URLs using brute-force searches. When the attacker discovers a short URL, running it exposes the long URL in plain view text. This exposure enables the attacker to inject, for example, malware into editable Microsoft Word and Excel files and scripts for images and videos.
Microsoft OneDrive and Google Drive are two primary cloud storage services that generate long URLs. Cloud-stored files are automatically copied to a user's personal computers, tablets and other devices. These include files the attacker injected with malware in the cloud.
Beginning in September of 2015, newly created short URLs for Google Maps have a token of 11 or 12 characters. This makes it more difficult and time-consuming for the attacker to scan the URLs by brute-force, discover a short URL and exploit the content behind it.
On March 2016, Microsoft removed the shorten link option from OneDrive. All previously generated short URLs are vulnerable to scanning and malware injection.
Longer tokens in short URLs are not available for Google Docs and Sheets. Enterprises and users should continue to use long URLs.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Learn how to detect malicious shortened URLs
Discover the security risks of URL-shortening services
Find out how to prevent data loss in Office 365
Dig Deeper on Web browser security
Related Q&A from Judith Myerson
Air-gapped computers subject to PowerHammer attack: Proof-of-concept attack enables data exfiltration through control of current flow over power ... Continue Reading
Bastille researchers created the SirenJack proof of concept to show how a vulnerability could put San Francisco's emergency warning system at risk. ... Continue Reading
A QR code vulnerability was recently discovered in the Apple iOS 11 camera app. Learn how an attacker could exploit it and how to avoid the issue ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.