Shortened URLs are convenient: they’re a whole lot easier to handle than unwieldy strings that email messes up with line breaks when you cut and paste them.
But that same brevity also makes URLs from the likes of bit.ly, Google and Microsoft easier to crack, potentially exposing personal data to anyone who cares to look, security researchers have found.
Cornell Tech’s Martin Georgiev and Vitaly Shmatikov on Thursday published the results of an 18-month study that found the 5- or 6-character tokens added to domains such as 1drv.ms or goo.gl are so short, all possible URLs can be scanned by brute force by “anyone with a little patience and a few machines at her disposal.”
Those short URLs are, in effect, public, the researchers say.
The researchers didn’t scan all possible short URLs, though their analysis showed that a more powerful adversary could pull it off – say, with a botnet.
At any rate, they sampled enough to discover some alarmingly sensitive information that would be a boon to stalkers, along with files tied to folders with write-access that enable anyone, anywhere, to drop malicious code into your cloud storage.
The study focused on two cloud services that directly integrate URL shortening: Microsoft OneDrive (formerly known as SkyDrive) and Google Maps.
Out of the scanned OneDrive accounts, the pair claimed that 7% were vulnerable to “large-scale malware injection.”
Many of those OneDrive accounts held private documents, and many were unlocked. And because OneDrive synchronizes contents across a user’s OneDrive clients, the malware would automatically download onto all a user’s devices running the cloud storage.
Stalking came in on the Google Maps front. The researchers discovered driving directions that reveal sensitive information for individuals whom they could – and did, in one case – identify.
The shortened URLs led to Google Maps driving instructions for visits to destinations that are typically kept private, such as cancer and mental illness clinics, addiction treatment centers, abortion providers, correctional and juvenile detention facilities, payday and car-title lenders, and “gentlemen’s” clubs.
When they analyzed one Google Map endpoint, the researchers discovered the address, full name and age of a young woman who shared directions to a Planned Parenthood facility.
Thankfully, the pair didn’t include the woman’s name in their paper. But as Shmatikov noted to Wired, “That’s a very substantial privacy leak.”
The researchers also managed to create maps of who’s visited whom, by starting with a residential address and mapping all addresses appearing as the endpoints of the directions to and from the initial address.
For example, they found that they could take a business such as a towing company, extract all map directions created to or from its location, and cross-correlate with people who’d had their vehicle towed to and from the company. Discovering the customer’s home address could then lead somebody to infer their identity with the help of a phone directory.
And because the Google API for short URLs reveals the exact time when the URL was created, as well as the approximate time of recent URL visits, the researchers suggest that the data could be used to create fine-grained activity profiles for users who share Google Maps directions.
Georgiev and Shmatikov also came up with some interesting conjectures: for example, one of the most frequently occurring residential addresses in their sample is likely the home of a geocaching enthusiast, given that he or she shared directions to hundreds of locations around Austin, Texas, many of which are specified as GPS coordinates.
They didn’t pry into any of these people’s private files, mind you. They didn’t have to: the metadata was enough to let them know that there was sensitive information within.
When it came to OneDrive, there are a few compounding elements to the easily guessed URLs. For one thing, the URLs for documents and folders all use the 1drv.ms domain.
That’s a branded short domain, operated by Bitly, that uses the same tokens as bit.ly. That means that any scan of bit.ly short URLs automatically discovers 1drv.ms URLs.
In their sample scan of 100,000,000 bit.ly URLs with randomly chosen 6-character tokens, 42% resolved to actual URLs.
Of those, 19,524 URLs lead to OneDrive/SkyDrive files and folders, most of them live.
But that, the researchers said, is just the beginning. On top of the predictable domains, OneDrive URLs have predictable structure. Tweaking one live URL let the researchers access other files and folders uploaded by the same OneDrive user.
So not only could they write to files in 7% of the found URLs, they could also spread poisonous code that much further, Shmatikov told Wired:
If someone wanted to inject a lot of malicious content into people’s computers, it’s a pretty interesting way of doing it.
By scanning you can find these folders, you put whatever you want in them, and it gets automatically copied to people’s hard drives.
The pair suggested five mitigation options in their paper:
- Make short URLs longer
- Inform users about the risks of URL shorteners
- Do not rely on universal URL shorteners
- Employ CAPTCHAs or other methods to separate human users from automated scanners
- Design better APIs for the cloud services that use short URLs
…after which they recapped the responses they got from Microsoft and Google when they informed the companies of their findings.
When they got in touch with Microsoft in May 2015, the company brushed it off, saying that enabling sharing of shortened URLs was “by design” and didn’t warrant a Microsoft Security Response Center (MSRC) case.
However, Microsoft did, in fact, remove the “shorten link” option from OneDrive last month, distressing a number of customers.
No, MSRC informed the researchers, we didn’t do it because of your report, which we still don’t consider a vulnerability. Microsoft did change its API so that you can’t guess at a user’s files and folders once you have one seed file, though.
Regardless, all the shortened URLs the researchers managed to generate remained vulnerable to scanning and malware injection as of the publishing of their paper, the pair said.
Microsoft may not have considered it a security vulnerability, but Google apparently did.
The researchers informed Google about the shortened URL situation on 15 September, and within 6 days, it had switched to longer URLs that the researchers said aren’t vulnerable to brute-force scanning.