Hijacked for six characters. Link shorteners succumbed to brute force
Link shorteners like bit.ly , goo.gl, and others generate links with a token of 5, 6, or 7 characters. As it turned out, this is too small, so that the entire address space can be tied up. Professor Vitaly Shmatikov from Cornell University of Technology with a colleague, an independent researcher Martin Georgiev, scanned the address space of shortcuts - and found a lot of documents on cloud hosting . It would seem that this? But it turned out that the predictable structure of a long URL sometimes allows for one found document to access other documents on the hosting or, in general, to all documents !
In particular, until March 2016, such a long URL structure was hosted on Microsoft OneDrive (described below), but a similar principle can be found on other services.
Link shortener is built into OneDrive and other cloud services, so a short address is automatically assigned to each document, even with secret information. Well, if someone selects this address, he can get access to the account, edit the documents, inject the Trojan downloader, etc.
The results of the 18-month work, the researchers published in the report .
As the report shows, the authors focused on two abbreviations that are built into OneDrive and Google Maps.
Onedrive
Here, the address of documents and folders are encoded in the domain address 1drv.ms , served Bitly operator and they are assigned the same token, as on the bit.ly . In other words, any token scan bit.ly automatically finds and addresses 1drv.ms . During a test scan, 100,000,000 URLs in the bit.ly domain with randomly selected 6-character tokens 42% turned out to be active URLs. Of these, 19,524 led to documents and folders on OneDrive / SkyDrive hosting. But that's not all.
As it turned out, OneDrive addresses have a predictable structure. Knowing the full URL of a single document, you can construct the root URL and automatically go to your account, open all files and folders.
For example, you discover brute force the URL http://1drv.ms/1xNOWV7 , which resolves to https://onedrive.live.com/?cid=485bef1a80539148&id=485BEF1A80539148!115&ithint=folder,xlsx&authkey=!AOOp2TqTTSMT5q4 .
From the long URL, we extract the cid and authkey parameters with which we construct the root URL for the account: https://onedrive.live.com/?cid=485bef1a80539148&authkey=!AOOp2TqTTSMT5q4 .
To gain access to a specific document, you need to find elements with href attributes containing & app = , & v = , /download.aspx in the source code of the page on cloud hosting . or / survey?(this particular method does not seem to work since March 2016).

To search for other folders, you need to search for links that start with onedrive.live.com and contain the account cid .
By this method, the authors of the study revealed another 227,276 documents on OneDrive hosting.
Tellingly, about 7% of the found folders were open for writing. No need to explain what this means, considering how easy it is to bypass the built-in OneDrive antivirus.
Google maps
Until September 2015, goo.gl/maps had tokens of 5 characters. A random sample scan revealed 23,965,718 active links, of which 10% turned out to be maps with traffic routes, including to hospitals for patients with cancer and mental disorders, centers for alcoholics and drug addicts, abortions centers, and prisons. In general, delicate information. For example, a route from the abortion center to a specific address, in principle, suggests a place of residence for a person. If this is a house where one woman lives, then assume a person. Then, make a map with all addresses where this address was the starting or ending point of the movement. Here is a card for one person.

How did companies respond
Microsoft representatives after two months of correspondence said they did not consider brute force tokens a vulnerability. However, some of the methods described above have stopped working. When they contacted Microsoft again, they denied that the changes made were relevant to this report.
Google responded immediately, switched to 11-12 character tokens, and limited URL scanning.