Computer security researchers Martin Georgiev and Vitaly Shmatikov have found a vulnerability the way shorted URLs are generated.

Computer security researchers have discovered a vulnerability in shortened URLs that could expose personal data to hackers who are motivated enough to go after it.

As per Martin Georgiev and Vitaly Shmatikov, the two security researchers who discovered this vulnerability, the way a regular URL of around 150 characters is shortened to 6 characters exposes your mapping requests and your personal files kept in the cloud to motivated hackers.

Both researchers were able to find files stored at Microsoft OneDrive and Google Drive using short URLs that were shared. Some of the files stored in the folders with the shortened URLs with write-access, thus enabling just about anybody in the world to drop maliciously coded files in your cloud storage.

The risk profile for this vulnerability is serious, since anything and everything that is copied to your personal cloud storage, a copy of it is also copied onto your desktop.

The researchers claim that this poses a very real danger of a “large-scale malware injection.” They claim that 7% of Microsoft OneDrive and Google Drive are vulnerable to this attack.

Since many of the data that is stored online is private and confidential, since the shortened Google Maps URLs contain direction between two private addresses, inferring the relationship from that data is trivial.

The situation worsens if the cloud storage includes highly personal data such as places of worship, and medical information. In the course of their research, the duo were able to find names of people who have visited juvenile facilities, pawn brokers and such information which is ordinarily kept private and confidential.

Most people who put up their confidential files online probably subscribe to the “security from obscurity” mentality, which says, since a person does not know what information you have put up on your cloud storage, no one will be able to find out.

In their papers which details this vulnerability, the computer security researchers have blown the security by obscurity concept out of the water. Just because the files have not been shared publicly, does not necessarily mean, the public will not have access to them.

As detailed in their paper, “each resource shared via short URL is thus effectively public, and can be accessed by anyone anywhere in the world.” As per them, “automatically generated short URLs are a terrible idea for cloud services.”

Microsoft has reacted to the release of their paper saying, it does “does not currently warrant an MRSC case,” while at the same time it has quietly removed the shorten link function within OneDrive. That is not really a solution since existing users remain exposed to the vulnerability.

As for Google, it has doubled the character length and has told Wired that it “appreciate[s] contributions to the safety of Google Maps and Google products.”