Google addresses found in short URLs associated with a single user in Austin, Texas, courtesy of Google’s old 5-character short URL tokens.Vitaly Shmatikov
Two security researchers have published research exposing the potential privacy problems connected to using Web address shortening services. When used to share data protected by credentials included in the Web address associated with the content, these services could allow an attacker to gain access to data simply by searching through the entire address space for a URL-shortening service in search of content, because of how predictable and short those addresses are.
Both Microsoft and Google have offered URL shortening services embedded in various cloud services. Microsoft included the 1drv.ms URL shortening service in its OneDrive cloud storage service and a similar service (binged.it) for Bing Maps—”branded” domains of the bit.ly domain shortening service. Microsoft has stopped offering the OneDrive embedded shortener, but existing URLs are still accessible.
Google Maps has an embedded a tool that creates URLs with the goo.gl domain.
Vitaly Shmatikov of Cornell Tech and visiting researcher Martin Georgiev conducted an 18-month study in which they focused on OneDrive and Google Maps. “We did not perform a comprehensive scan of all short URLs (as our analysis shows, such a scan would have been within the capabilities of a more powerful adversary),” Shmatikov wrote in a blog post today, “but we sampled enough to discover interesting information and draw important conclusions.” One of those conclusions was that Microsoft’s OneDrive shortened URLs were entirely too easy to traverse.
To search for shared cloud files, the pair performed a sample scan of 100 million bit.ly shortened domains, generating random six-character tokens, using 189 separate machines to access the bit.ly service’s search API, and a similar number of seven-character tokens by simply appending a “1” to the beginning of a random six-character string.
Searching for Google’s shortened URLs was simpler: prior to last September, Google only used a five-character token for the short URLs generated from Maps.
The researchers discovered over 23 million Google Maps URLs in their samples, about 10 percent of which were for stored directions from one location to another and the remainder address locations.
These were largely associated with specific Google user accounts, creating a potential privacy hole—the researchers could determine who shared directions based on home addresses:
The endpoints of driving directions shared via short URLs often contain enough information to uniquely identify the individuals who requested the directions.
For instance, when analyzing one such endpoint, we uncovered the address, full name, and age of a young woman who shared directions to a planned parenthood facility.
Conversely, by starting from a residential address and mapping all addresses appearing as the endpoints of the directions to and from the initial address, one can create a map of who visited whom.
Fine-grained data associated with individual residential addresses can be used to infer interesting information about the residents.
For instance, we conjecture that one of the most frequently occurring residential addresses in our sample (see Figure 4) is the residence of a geocaching enthusiast. He or she shared directions to hundreds of locations around Austin, TX, many of them specified as GPS coordinates. We have been able to find some of these coordinates in a geocaching database.
When presented with the information by the researchers, Google increased the size of its tokens for Maps short URLs to 11 or 12 characters.
The contents of the bit.ly address space searched also had privacy implications. Of the six-character tokens, “42% resolved to actual URLs,” Shmatikov wrote— 42,229,055 URL mappings, of which “19,524 URLs lead to OneDrive/SkyDrive files and folders, most of them live.” The seven-character tokens had a 29 percent hit rate, with 47,081 OneDrive and SkyDrive URLs—35.541 of them live.
Since bit.ly URLs are not entirely random, the pair noted in the paper, it was possible to adjust the search to specific blocks of token addresses to get even higher success rates.
In total, the links gave the researchers access to over 1.3 million files in the OneDrive cloud, based on parsing of the full URLs discovered.
Based on the data, the researchers concluded that about 7 percent of OneDrive short URLs linked to “open” accounts—files and folders that were shared with write access.
There were hundreds of Google Drive links as well in the bit.ly data. “As with OneDrive, anyone who discovers the URL of a writable Google Drive folder can upload arbitrary content into it, which will be automatically synced with the user’s devices,” the researchers noted.
That could make it possible for an attacker to mine shortened URLs for places to drop malware.
Based on the size of the bit.ly address space, the researchers believe that an attacker could use a botnet to search the entire address space of shortened URLs in a day. Microsoft has stopped offering URL shortening from bit.ly directly in OneDrive, and it made changes to the OneDrive full URL structure that might prevent attackers from performing mass searches for specific file types or open directories.
But the researchers noted that Microsoft did not acknowledge short URLs as a security hole and claimed the changes made to OneDrive were not related to the disclosure.