Short-URL enumeration can be used to discover and read shared content stored in the cloud, including files for which the user didn’t create a short URL, researchers have demonstrated.
According to Martin Georgiev, independent researcher, and Vitaly Shmatikov of Cornell Tech, the space of 5- and 6-character tokens included in short URLs is so small that it can be scanned easily using a brute-force search. Thus, content that has been shared privately is publicly accessible, which creates major security and privacy vulnerabilities, the researchers say.
In their paper, the two researchers focused on Microsoft’s OneDrive cloud storage service and explain that 7 percent of all accounts exposed using short-URL enumeration allow intruders to write arbitrary content to them. Furthermore, researchers say, since the files saved in the cloud are automatically written on the local hard drive, the flaw could be exploited for large-scale malware injection.
Many URL shortening services create URLs so short that the entire space of possible URLs can be scanned or at least sampled on a large scale, the researchers say. This means that adversaries can automatically discover the true URLs of cloud resources shared by users, effectively making these resources public and accessible to anyone.
Having discovered the short URL for a file in a user’s OneDrive account could allow an attacker to expose all other files and folders owned by the user, even files that cannot be reached directly via a short URL. The paper also explains that OneDrive accounts are vulnerable to automated, large-scale privacy breaches, mainly because sensitive personal information is sometimes automatically synchronized between a user’s device and the cloud.
Microsoft’s OneDrive has an integrated URL shortener, but that does not make it more vulnerable than Google Drive, which doesn’t, because users can employ third-party shorteners when sharing information. The same as with OneDrive, anyone able to discover the URL to a writable Google Drive folder can upload arbitrary content into it, the researchers say.
Because of short-URL enumeration, the sharing of information from online mapping services such as Google Maps, MapQuest, Bing Maps, and Yahoo! Maps exposes user data too. The paper reveals that the vulnerability can expose not only the locations that users have shared with each other, but also directions between locations, which in many cases start from or terminate at single-family residential addresses.
Some of these directions are associated with personal relationships or are highly sensitive, such as those to hospitals, clinics, and physicians associated with specific diseases, detention facilities, thus exposing users even more. Additionally, analytics APIs can offer further context by revealing when the directions were obtained and how often the map was referred to.
“In summary, our analysis shows that automatically generated short URLs are a terrible idea for cloud services. When a service generates a URL based on a 5-or 6-character token for an online resource that one user wants to share with another, this resource effectively becomes public and universally accessible,” the researchers explain.
The researchers say that short URLs should be longer to prevent such attacks, that URL shorteners should warn users that the URL might expose the content to third parties, and that cloud services should use internal, company-owned URL shorteners. Thus, companies could decrease expand the token space, could monitor automated scans of the short-URL space, and could take appropriate actions when a scan is detected.
According to the researchers, CAPTCHAs could be introduced to improve security, while the API design of URL shorteners should be changed to that attackers can’t enumerate all files and folders shared under the same capability key. Basically, the long URL of a document should not expose other documents and folders in the account, a security enhancement that Microsoft has implemented this year and Google Drive employs as well when individual files are shared.