Services that convert long, cumbersome URLs, such as those found in mapping directions, to short URLs are publicly exposing the original URL.
Original addresses can be obtained through brute-force scanning, researchers say. And that vulnerability allows foes to track an individual’s possibly sensitive movements, as well as see perceived-of-as-private documents.
Additionally, the brute force-exposed cloud documents could allow “adversaries” to “inject arbitrary malicious content into unlocked accounts, which is then automatically copied into all of the account owner’s devices,” say Vitaly Shmatikov, of Cornell Tech, and Martin Georgiev, an independent researcher, in their paper (PDF). They made the discovery.
Ironically, the hole is caused by the fact that the tokens used are too short. The small tokens allow brute-force scanning to reveal the original URL. That can include personal information such as the origination and destination of a driving direction. A person’s identifiable home address to a specialist treatment hospital can become visible, for example.
Perceived-of-as-private data is, in fact, public, the researchers say, and it’s so insecure it could have unhinged the cloud.
Major cloud providers have taken notice. Google Maps increased the size of its tokens from five characters to 11 or 12 after the scientists told the company about the findings, Ars Technica says. The researchers had mixed results trying to report their findings to provider firms, Shmatikov says in a Freedom to Tinker blog post.
Other URL shortening providers, including Microsoft, which uses URL shortening in its Bing products, have also made security enhancements. Older shortened URLs, however, still have the vulnerability. They have not been fixed—the URLs are out there as is.
In the case of the existing five- or six-character token URLs, “all online resources that were intended to be shared with a few trusted friends or collaborators are effectively public and can be accessed by anyone. This leads to serious security and privacy vulnerabilities,” the scientists say.
2 problems URL shorteners produce
One of the principal issues is that people want to use the cloud to share documents and other information with collaborators. However, the original links tend to be unwieldy and their length makes them unsuitable for text messages or Twitter—hence the shortening.
The first problem this produces is that the arbitrary appearance of the shortened URL makes users believe the URL is “safe,” the researchers say. Users think that because the URL is “not shared publicly” and its syntactical make-up is “random-looking,” that the URL is secure.
It’s obviously not because it’s just a representation of the longer URL with no added authentication for access to the document or driving direction. There’s no password, for example.
The second issue—that of the overly short tokens—compounds the security problem. Through brute force one can query the database—the providers, such as bit.ly and goo.gl/maps supply mapping APIs conveniently, the researchers explain. A combination of running the API along with sampling allows URLs to be produced.
“By starting from a residential address and mapping all addresses appearing as the endpoints of the directions to and from the initial address, one can create a map of who visited whom,” the scientists say.
The problem is just as bad with cloud storage services. While in that case, one may not be handing over a personally identifiable driving direction from a single family home street address to a friendly drying-out clinic, say, un-secured cloud documents can be pointed to in similar ways, the researchers say.