An investigation into Shoutkey’s safety led unsurprisingly to multiple private documents.

Here’s the Gist.

Exposed user data

URL shorteners generally enable unsafe practices, but Shoutkey takes the cake by using short, common words as shortener keys, foregoing request rate limiting, reusing keys, and providing no safety warnings. And while Shoutkey is just someone’s project, it’s gaining in popularity.

Using a list of common English words, we can generate a list of plausible Shoutkey URLs and check whether Shoutkey redirects us to a user’s URL. The 9000 words tested led to around 80 user URLs and a hit rate of almost 1%. Many user URLs led to writable documents.

Shoutkey specific issues

Shoutkey makes URL scanning too easy. Casual users won’t realize

  • the consequences of Shoutkey exposing their data to the world
  • anyone can peruse their data, and even overwrite or remove editable documents
  • Shoutkey is a single-person project, meaning things like request rate limiting aren’t present and won’t be implemented

In light of these issues, developers should promote the use of established, well-supported shorteners like bit.ly or goo.gl. And remind people to password-protect their shared documents.

Suggested improvements

The main benefit of Shoutkey over other shorteners is its use of real-word keys. To preserve this benefit while increasing the key search space, switch to using Diceware-like keys.

At the very least, a proper landing page warning message is in order.

Conclusion

Forego promoting Shoutkey until it implements request rate limiting and Diceware-like keys.