Services that shorten URLs can be great. They help take a giant, messy, unwieldy string of text and make it a lot more manageable.
Unfortunately, some short URLs also have one major flaw: if the URL is tiny enough, they're pretty easy to guess. In most instances that doesn't matter; maybe you're just shortening an online article URL to share on Twitter. However, two security researchers published a paper yesterday that details how Microsoft's OneDrive and Google's Maps services are easily exploited by this method.
As Ars Technica reports, the URL shorteners these companies use to give users direct links to files, addresses, or directions are simply too short. Said researchers brute-forced a ton of different links and then used them as starting points for accessing the rest of a user's data or, in the case of Google Maps, a user's identity.
With OneDrive, the researchers scanned 100 million different six-digit bit.ly URLs—which map directly to the "1drv.ms" URL shortener Microsoft uses for OneDrive. Of these URLs, 42 percent were live, and 19,524 linked to OneDrive files (mostly live).
"OneDrive URLs have predictable structure. From the URL to a single shared document ("seed"), one can construct the root URL and automatically traverse the account, discovering all files and folders shared under the same capability as the seed document or without a capability," reads a blog post from one of the researchers, Cornell Tech professor Vitaly Shmatikov.
"The traversal-augmented scan yielded URLs to 227,276 publicly accessible OneDrive documents, including dozens of thousands of PDF and Word files, spreadsheets, media files, and executable binaries. A similar scan of 100,000,000 random seven-character bit.ly tokens yielded URLs to 1,105,146 publicly accessible OneDrive documents. We did not download their contents, but just from the metadata it is obvious that many of them contain private or sensitive information," he added.
Worse, around 7 percent of OneDrive folders the researchers found using this method had full write access. So, presumably, a person could easily dump malware into the folder, which would then synchronize to a person's various OneDrive-connected devices.
As for Google Maps, the researchers found just under 24 million live links when they scanned various five-digit permutations of shortened Google Maps URLs. Around 10 percent were links to maps with driving directions.
"The endpoints of driving directions often contain enough information (e.g., addresses of single-family residences) to uniquely identify the individuals who requested the directions. For instance, when analyzing one such endpoint, we uncovered the address, full name, and age of a young woman who shared directions to a Planned Parenthood facility. Conversely, by starting from a residential address and mapping all addresses appearing as the endpoints of the directions to and from the initial address, one can create a map of who visited whom," Shmatikov wrote.
Though Microsoft has said that these issues are not themselves security vulnerabilities—surprisingly—it has since disabled bit.ly-based URL shortening within OneDrive. It also changed its URL structures to prevent digging through a person's other shared data from one successful shortened URL. As for Google, the company has switched to much longer tokens for its shortened URLs, greatly increasing the difficulty of brute-forcing live ones.
"We're continually looking for ways to improve the usability, features and security of our products and services for customers. As part of these efforts, earlier this year we began removing shortened URLs from file sharing options to simplify for users and prepare for future developments," Microsoft told Wired.
Google told Wired the company "appreciate(s) [the Cornell Tech researchers] contributions to the safety of Google Maps and other Google products. The Cornell researchers notified us last year about this issue and we've since strengthened URL protections based on their findings and our own studies."
Unfortunately, some short URLs also have one major flaw: if the URL is tiny enough, they're pretty easy to guess. In most instances that doesn't matter; maybe you're just shortening an online article URL to share on Twitter. However, two security researchers published a paper yesterday that details how Microsoft's OneDrive and Google's Maps services are easily exploited by this method.
As Ars Technica reports, the URL shorteners these companies use to give users direct links to files, addresses, or directions are simply too short. Said researchers brute-forced a ton of different links and then used them as starting points for accessing the rest of a user's data or, in the case of Google Maps, a user's identity.
With OneDrive, the researchers scanned 100 million different six-digit bit.ly URLs—which map directly to the "1drv.ms" URL shortener Microsoft uses for OneDrive. Of these URLs, 42 percent were live, and 19,524 linked to OneDrive files (mostly live).
"OneDrive URLs have predictable structure. From the URL to a single shared document ("seed"), one can construct the root URL and automatically traverse the account, discovering all files and folders shared under the same capability as the seed document or without a capability," reads a blog post from one of the researchers, Cornell Tech professor Vitaly Shmatikov.
"The traversal-augmented scan yielded URLs to 227,276 publicly accessible OneDrive documents, including dozens of thousands of PDF and Word files, spreadsheets, media files, and executable binaries. A similar scan of 100,000,000 random seven-character bit.ly tokens yielded URLs to 1,105,146 publicly accessible OneDrive documents. We did not download their contents, but just from the metadata it is obvious that many of them contain private or sensitive information," he added.
Worse, around 7 percent of OneDrive folders the researchers found using this method had full write access. So, presumably, a person could easily dump malware into the folder, which would then synchronize to a person's various OneDrive-connected devices.
As for Google Maps, the researchers found just under 24 million live links when they scanned various five-digit permutations of shortened Google Maps URLs. Around 10 percent were links to maps with driving directions.
"The endpoints of driving directions often contain enough information (e.g., addresses of single-family residences) to uniquely identify the individuals who requested the directions. For instance, when analyzing one such endpoint, we uncovered the address, full name, and age of a young woman who shared directions to a Planned Parenthood facility. Conversely, by starting from a residential address and mapping all addresses appearing as the endpoints of the directions to and from the initial address, one can create a map of who visited whom," Shmatikov wrote.
Though Microsoft has said that these issues are not themselves security vulnerabilities—surprisingly—it has since disabled bit.ly-based URL shortening within OneDrive. It also changed its URL structures to prevent digging through a person's other shared data from one successful shortened URL. As for Google, the company has switched to much longer tokens for its shortened URLs, greatly increasing the difficulty of brute-forcing live ones.
"We're continually looking for ways to improve the usability, features and security of our products and services for customers. As part of these efforts, earlier this year we began removing shortened URLs from file sharing options to simplify for users and prepare for future developments," Microsoft told Wired.
Google told Wired the company "appreciate(s) [the Cornell Tech researchers] contributions to the safety of Google Maps and other Google products. The Cornell researchers notified us last year about this issue and we've since strengthened URL protections based on their findings and our own studies."
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
