Connect with us

Hi, what are you looking for?


Application Security

Shortened URLs Expose Private Cloud Data

Short-URL enumeration can be used to discover and read shared content stored in the cloud, including files for which the user didn’t create a short URL, researchers have demonstrated.

Short-URL enumeration can be used to discover and read shared content stored in the cloud, including files for which the user didn’t create a short URL, researchers have demonstrated.

According to Martin Georgiev, independent researcher, and Vitaly Shmatikov of Cornell Tech, the space of 5- and 6-character tokens included in short URLs is so small that it can be scanned easily using a brute-force search. Thus, content that has been shared privately is publicly accessible, which creates major security and privacy vulnerabilities, the researchers say.

In their paper, the two researchers focused on Microsoft’s OneDrive cloud storage service and explain that 7 percent of all accounts exposed using short-URL enumeration allow intruders to write arbitrary content to them. Furthermore, researchers say, since the files saved in the cloud are automatically written on the local hard drive, the flaw could be exploited for large-scale malware injection.

Many URL shortening services create URLs so short that the entire space of possible URLs can be scanned or at least sampled on a large scale, the researchers say. This means that adversaries can automatically discover the true URLs of cloud resources shared by users, effectively making these resources public and accessible to anyone.

Having discovered the short URL for a file in a user’s OneDrive account could allow an attacker to expose all other files and folders owned by the user, even files that cannot be reached directly via a short URL. The paper also explains that OneDrive accounts are vulnerable to automated, large-scale privacy breaches, mainly because sensitive personal information is sometimes automatically synchronized between a user’s device and the cloud.

Microsoft’s OneDrive has an integrated URL shortener, but that does not make it more vulnerable than Google Drive, which doesn’t, because users can employ third-party shorteners when sharing information. The same as with OneDrive, anyone able to discover the URL to a writable Google Drive folder can upload arbitrary content into it, the researchers say.

Because of short-URL enumeration, the sharing of information from online mapping services such as Google Maps, MapQuest, Bing Maps, and Yahoo! Maps exposes user data too. The paper reveals that the vulnerability can expose not only the locations that users have shared with each other, but also directions between locations, which in many cases start from or terminate at single-family residential addresses.

Advertisement. Scroll to continue reading.

Some of these directions are associated with personal relationships or are highly sensitive, such as those to hospitals, clinics, and physicians associated with specific diseases, detention facilities, thus exposing users even more. Additionally, analytics APIs can offer further context by revealing when the directions were obtained and how often the map was referred to.

“In summary, our analysis shows that automatically generated short URLs are a terrible idea for cloud services. When a service generates a URL based on a 5-or 6-character token for an online resource that one user wants to share with another, this resource effectively becomes public and universally accessible,” the researchers explain.

The researchers say that short URLs should be longer to prevent such attacks, that URL shorteners should warn users that the URL might expose the content to third parties, and that cloud services should use internal, company-owned URL shorteners. Thus, companies could decrease expand the token space, could monitor automated scans of the short-URL space, and could take appropriate actions when a scan is detected.

According to the researchers, CAPTCHAs could be introduced to improve security, while the API design of URL shorteners should be changed to that attackers can’t enumerate all files and folders shared under the same capability key. Basically, the long URL of a document should not expose other documents and folders in the account, a security enhancement that Microsoft has implemented this year and Google Drive employs as well when individual files are shared.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.