educative.io

Educative

Shortened links should not be guessable (not predictable). Why is this a problem?

Why is it necessary that shortened links should no be guessable. This isnt a security service per say. Whats the disadvantage if they were guessable?

1 Like

Hi,

Thank you for reaching out to us and giving your feedback. We’ll get back to you soon!

If you have any further concerns/questions/comments, please let us know.

Best regards,
Educative Team

Same question. No one has reached back?

Way too many hacking attacks succeed by just taking an account number, adding 1 to it, and magically getting access to another user info. Of course, tinyUrl should always map to public URLs or “outsource” the security measures to the destination website. So no real security threats here.

However, you might still want to avoid having users “playing with your system” e.g. I create a tinyUrl that is “hsjwkf”, I am curious what “hsjwke” (one char before) or “hsjwkg” (one char after) will look like. This will at the very minimum impact your metrics or caching system in a not ideal way.

Finally, “guessable” often means “sequential”. And sequential keys might create “hotspotting” in your storage system killing your ability to scale.

9 Likes

URL Shortening service map given URL to six letter keys. The problem is shorted URLs are too short, they’re easily guessable using brute-force techniques, which can expose users’ data and identities. Please visit URL Shorteners: Convenient But a Potential Security Risk for detial.