URL shorteners are convenient, but for a long time gave security practitioners anxiety because it was difficult to determine where the shortened address was taking you.
Two researchers have now given you new reasons to fear URL shorteners, especially for those storing and sharing data on cloud-based services.
Independent researcher Martin Georgiev and Cornell University professor Vitaly Shmatikov yesterday published a paper called “Gone in Six Seconds: Short URLs Considered Harmful for Cloud Services” in which they describe weaknesses in services such as bit.ly and goo.gl that can be exploited to find supposedly private documents stored on Microsoft OneDrive accounts, and location information via Google Maps.
The problem, the researchers said, is that the structure of the short URLs is too short; long URLs are trimmed down to the domain name and anywhere between a five- and seven-character token, i.e., 1drv.ms.xxxxxx.
“The tokens are so short that the entire set of URLs can be scanned by brute force,” Shmatikov wrote in a post on Freedom to Tinker. “The actual, long URLs are thus effectively public and can be discovered by anyone with a little patience and a few machines at her disposal.”
The research presented in the paper took a year-and-a-half to develop and was limited to URL shortening on OneDrive and Google Maps, both of which integrate shorteners into their collaboration services. Scanning the whole short URL space, however, is within reach of advanced, resourced adversaries, Shmatikov said.
“Users who generate short URLs to their online documents and maps may believe that this is safe because the URLs are ‘random-looking’ and not shared publicly. Our analysis and experiments show that these two conditions cannot prevent an adversary from automatically discovering the true URLs of the cloud resources shared by users,” the researchers wrote. “Each resource shared via a short URL is thus effectively public and can be accessed by anyone anywhere in the world.”
The researchers explain that OneDrive integrates bit.ly as its shortener, therefore they carried out a scan, via the respective services’ APIs, of more than 100 million bit.ly URLs with the random six-character tokens and found 42 percent of those resolved to real URLs; almost 20,000 lead to live OneDrive files and folders, they said.
Worse for the OneDrive scenario is that the URL structure is predictable.
“From the URL to a single shared document (“seed”), one can construct the root URL and automatically traverse the account, discovering all files and folders shared under the same capability as the seed document or without a capability,” Shmatikov said.
Their scans found thousands of exposed OneDrive folders with write permissions.
“Since cloud-stored files are automatically copied into users’ personal computers and devices, this is a vector for large-scale, automated malware injection,” the researchers wrote.
With Google Maps, the researchers were able to find close to 24 million live links, 10 percent of which were for maps with driving directions. Given the exposure of destinations, for example, plenty of personal sensitive information is exposed to the public Internet.
“For many individual users, this enables inference of their residential addresses, true identities, and extremely sensitive locations they visited that, if publicly revealed, would violate medical and financial privacy,” they wrote.
The researchers reported their findings privately to Microsoft and Google. Google responded by generating goo.gl/maps URLs with 11- or 12-character tokens, and also took steps to limit scanning of existing URLs, Shmatikov said.
Microsoft, meanwhile, had a two-month email exchange with the researchers over the issue, they said, before informing the researchers last August that their work did not warrant investigation by the Microsoft Security Resource Center.
As of March, however, OneDrive no longer offers a URL shortening option.
After we contacted MSRC again, they denied that these changes have anything to do with our previous report and reiterated that the issues we discovered do not qualify as a security vulnerability,” Shmatikov said. “As of this writing, all previously generated short OneDrive URLs remain vulnerable to scanning and malware injection.”