The problem was exposed by Martin Georgiev and Vitaly Shmatikov following investigations of abridged web addresses used by companies such as Google, Microsoft and bit.ly.
In a report called “Gone in Six Seconds: Short URLs Considered Harmful for Cloud Services”, the pair described how flaws in these services can be exploited to find private documents in OneDrive and location information from Google Maps.
The crux of the problem is that the URLs are so short that brute force attacks can be used to unearth information about them.
“The tokens are so short that the entire set of URLs can be scanned by brute force,” Shmatikov said. “The actual, long URLs are thus effectively public and can be discovered by anyone with a little patience and a few machines at their disposal.”
The research was limited to OneDrive and Google Maps, both of which integrate shortened URLs into their services. Scanning these URLs is within reach of well-resourced hackers, claimed Shmatikov.
“Users who generate short URLs to their online documents and maps may believe that this is safe because the URLs are ‘random-looking' and not shared publicly. Our analysis and experiments show that these two conditions cannot prevent an adversary from automatically discovering the true URLs of the cloud resources shared by users,” the researchers said. “Each resource shared via a short URL is thus effectively public and can be accessed by anyone anywhere in the world.”
With OneDrive, the reseachers said the URL structure was predictable.
“From the URL to a single shared document (“seed”), one can construct the root URL and automatically traverse the account, discovering all files and folders shared under the same capability as the seed document or without a capability,” said Shmatikov.
The researcher unearthed thousands of OneDrive folders with write permissions and since cloud-stored files are automatically copied into users' personal computers and devices, “this is a vector for large-scale, automated malware injection,” the researchers said.
When the researchers looked at Google Maps they discovered 24 million live links, one in ten of those links exposed driving directions.
“For many individual users, this enables inference of their residential addresses, true identities, and extremely sensitive locations they visited that, if publicly revealed, would violate medical and financial privacy,” said the researchers.
The researchers said that their findings had been reported to Microsoft and Google. Google has since changed shortened Google Map links to 12-character tokens. Microsoft no longer offers a URL shortening service.
Fraser Kyne, regional SE director at Bromium, told SCMagazineUK.com that the problem of malware injection is more scary.
“It's likely that a serious attacker is more interested in getting onto your PC than getting hold of a specific file that someone is prepared to share with you over a shortened URL… In this context, this is just another means for attackers to target vulnerable devices over the Internet,” he said.
Guy Bunker, SVP at Clearswift, told SCMagazineUK.com that to prevent information leakage in this case, multiple other pieces of technology could be used to protect theUK organisation from a malicious URL infecting the organisation, or protecting the information inside an organisation from leaking out.
“Awareness that shortened URLs are a threat vector and employees should be cautious when clicking on them is also advisable. From a marketing perspective, don't use shortened URLs – as more people become more wary, keep the transparency – and the longer URL,” he said.
Ken Munro, partner at Pen Test Partners told SCMagazineUK.com that the biggest problem here is that users don't always understand the mechanism and how it works.
“OneDrive recently changed its UI (User Interface) so that the default is to share a document with no permissioning on it and that's going to mean the bulk of the links being sent from OneDrive are not secured by anything except the URL. And consider also that URL shortening isn't always conscious either. If I send a DM (Direct Message) via twitter using Tweetbot, it automatically shortens the URL. I've seen the same with private messages in forums as well, presumably for the purposes of analytics. So now my long, secure URL has been turned into a short, insecure one without my knowledge.”
He added that even with high entropy, URLs end up getting logged (if not HTTP), and are left in the history of chat sessions etc. “I can't see any way of removing the links once they are in place,” he added.