Maps [1]. They demonstrated how short-URL
enumeration could be used to discover and read
shared content stored in the OneDrive cloud and find
information shared using Google Maps. The authors
found that 7% of the OneDrive accounts exposed
in this fashion allow anyone to write into them.
They also discovered that short-URL enumeration
for Google Maps revealed directions that users
shared with each other, enabling inference about
residential addresses, true identities, and sensitive
locations, such as abortion, mental-health, and
addiction-treatment clinics medical facilities, as well
as prisons and juvenile detention centers.
ShoutKey is a very familiar URL shortener in the
classroom. It has garnered a significant audience of
educators who can easily share links to class activities
by telling the class the simple word to the ShoutKey
link. At MIT, it has been used in courses includ-
ing 6.813 (User Interface and Design) and 6.005 (El-
ements of Software Construction). Given the recently
published papers regarding the security breaches of
these URL shortening services, we were motivated to
investigate any potential security flaws of ShoutKey
since it is widely used by educators and students alike
on campus.
3 Security / Attack Model
The use of the ShoutKey shortening service imposes
risks on users submitting URLS. These threats are
discussed in the following sections.
3.1 Privacy
In our project, we describe an experiment in which we
enumerate words in the English dictionary to search
for secret URLs that users have shortened using the
ShoutKey website. By implementing a simple dictio-
nary attack, a malicious third-party could easily view
and make edits to private documents that were in-
tended to be shared only with those who have knowl-
edge of the corresponding ShoutKey. If the third
party has malicious intent and had a target URL in
mind, he could easily enumerate through the dictio-
nary until he finds the right ShoutKey that redirects
to the URL of interest. We found several URLs that
led to private video conference calls, Google docu-
ments, Google forms, and even coding interview links
that we could access and edit. More information re-
garding the results of our attack can be found in Sec-
tion 4.1.2.
3.2 Sensitive Information
Often, users are not aware of the fact that once
URLs are submitted to a URL shortening service,
the URLs are no longer private. At the very
least, the administrators of the service will have
access to the URLs. Submitting secret URLs
using ShoutKey therefore compromises the privacy
of the data contained in the URLs. From the
results of our dictionary attack as described in
Section 4.1.2, we found several ShoutKeys that
redirected to unlisted YouTube videos, or videos
that are not searchable using YouTube’s search
interface. This therefore breaks YouTube’s privacy
models for users. We also found Google documents
that appeared to be feature more private data,
including unpublished research and dissertations,
that should have been disclosed only to the authors
but was accessible to anyone with the ShoutKey link.
ShoutKey currently has no published Privacy Pol-
icy on its website that assures the privacy of submit-
ted URLs. Clearly, however, given the results of our
attack, there exists a significant portion of users who
did not heed the lack of privacy settings and went on
to share very sensitive information using ShoutKey.
This suggests a clear need for more secure measures
to address the vulnerabilities of ShoutKey.
4 ShoutKey Security Analysis
4.1 Dictionary Attack
Since ShoutKey only uses dictionary words,
we conducted a dictionary attack that tested
http://shoutkey.com/[key] for every English word as
the key to see if any of the URLs redirected, taking
2