educative.io

Educative

Shortened links should not be guessable (not predictable). Why is this a problem?

Why is it necessary that shortened links should no be guessable. This isnt a security service per say. Whats the disadvantage if they were guessable?

4 Likes

Hi,

Thank you for reaching out to us and giving your feedback. We’ll get back to you soon!

If you have any further concerns/questions/comments, please let us know.

Best regards,
Educative Team

Same question. No one has reached back?

Way too many hacking attacks succeed by just taking an account number, adding 1 to it, and magically getting access to another user info. Of course, tinyUrl should always map to public URLs or “outsource” the security measures to the destination website. So no real security threats here.

However, you might still want to avoid having users “playing with your system” e.g. I create a tinyUrl that is “hsjwkf”, I am curious what “hsjwke” (one char before) or “hsjwkg” (one char after) will look like. This will at the very minimum impact your metrics or caching system in a not ideal way.

Finally, “guessable” often means “sequential”. And sequential keys might create “hotspotting” in your storage system killing your ability to scale.

13 Likes

URL Shortening service map given URL to six letter keys. The problem is shorted URLs are too short, they’re easily guessable using brute-force techniques, which can expose users’ data and identities. Please visit URL Shorteners: Convenient But a Potential Security Risk for detial.

I do not see a security risk as such. The article mentioned in the previous comment mentions similar security risk with randomized URLs.
By randomization, link sharing will have a small level of privacy. For example, sharing my location on a map, I am relatively safer as the hacker will require to scan the entire range otherwise the hacker can maintain its own DB and check back the URLs generated and see which one are redirecting to maps etc.

I would guess that by being able to predict shortened URLs someone could “intercept” a short URL of “private”(not exposed to public, containing a query string with some sensitive values) resource by generating short URL immediately before or after.

I still didn’t get why being predictable is a problem. Let’s take an example for concrete discussion: Say given a long URL U_l and it’s predictable output is U_s = F(U_l), if hacker knows U_s & F(.), then U_l is also known using U_s and F(.). Hackers can use U_l directly. How this expose vulnerability of the system.

regarding identity issue that Joel mentioned, it’s a general risk of short URL services, instead of the hashing function being predictable or not.

also, the solution mentioned here: Educative: Interactive Courses for Software Developers
In the Designing, a URL shortening service like TinyURL topic does not fulfill this requirement.
The keys are nothing but a sequence of base 62 number, in this case, anyone can easily guess this.

Predictable url potentially can introduce the vulnerabilities that could allow attackers to launch brute force attacks. For example, your web site can be scanned and if you documents are publicly accessible it may cause data leak. https://securityaffairs.co/wordpress/46377/hacking/url-shorteners-flaws.html