Lots of cloud services use URL shorteners to allow their users to share access to networked folders, but with only six characters to brute force, it's possible to scan all the URLs associated with a cloud service, locate the open shared folders, and poison them with malware while you plunder them for secrets.
A paper explaining the attack, Gone in Six Characters: Short URLs Considered Harmful for Cloud Services, makes the case that the security-through-obscurity method of relying on secret URLs leaves users vulnerable to attacks.
It's especially deadly with cloud services that sync up to your desktop or phone, since files dropped into those folders automatically find their way onto your computer.
It's not just files, either! By brute-forcing all Google Maps shorteners, you can discover peoples' private addresses and lots of other sensitive information.
In this paper, we demonstrate that the space of 5- and 6-character tokens included in short URLs is so small that it can be scanned using brute-force search. Therefore, all online resources that were intended to be shared with a few trusted friends or collaborators are effectively public and can be accessed by anyone. This leads to serious security and privacy vulnerabilities.
In the case of cloud storage, we focus on Microsoft OneDrive. We show how to use short-URL enumeration to discover and read shared content stored in the OneDrive cloud, including even files for which the user did not generate a short URL. 7% of the OneDrive accounts exposed in this fashion allow anyone to write into them. Since cloud-stored files are automatically copied into users' personal computers and devices, this is a vector for large-scale, automated malware injection.
In the case of online maps, we show how short-URL enumeration reveals the directions that users shared with each other. For many individual users, this enables inference of their residential addresses, true identities, and extremely sensitive locations they visited that, if publicly revealed, would violate medical and financial privacy.
[Martin Georgiev and Vitaly Shmatikov/Cryptography and Security]