Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Find Vulnerabilities In Microsoft's and Google's Short URL Services (arstechnica.com)

Posted by msmash on from the cool-urls-show-who-its-cool-creator-is dept.

An anonymous cites an article on Ars Technica: Two security researchers have published research exposing the potential privacy problems connected to using Web address shortening services. When used to share data protected by credentials included in the Web address associated with the content, these services could allow an attacker to gain access to data simply by searching through the entire address space for a URL-shortening service (PDF) in search of content, because of how predictable and short those addresses are. Both Microsoft and Google have offered URL shortening services embedded in various cloud services. Microsoft included the 1drv.ms URL shortening service in its OneDrive cloud storage service and a similar service (binged.it) for Bing Maps -- "branded" domains of the bit.ly domain shortening service. Microsoft has stopped offering the OneDrive embedded shortener, but existing URLs are still accessible. Google Maps has an embedded a tool that creates URLs with the goo.gl domain. Vitaly Shmatikov of Cornell Tech and visiting researcher Martin Georgiev conducted an 18-month study in which they focused on OneDrive and Google Maps. "We did not perform a comprehensive scan of all short URLs (as our analysis shows, such a scan would have been within the capabilities of a more powerful adversary)," Shmatikov wrote in a blog post today, "but we sampled enough to discover interesting information and draw important conclusions." One of those conclusions was that Microsoft's OneDrive shortened URLs were entirely too easy to traverse.

8 of 48 comments (clear)

  1. Rinse and reuse by xxxJonBoyxxx · · Score: 4, Insightful

    "Researchers Find Privacy Problems In Microsoft's and Google's [Variable] Services" could pretty much be a headline any day...by design.

  2. Click it or, well, just click it by Impy+the+Impiuos+Imp · · Score: 2

    What is the point of such things? Originally it seemed to be to let people type in such things from a magazine, without causing a half hour, error-prone headache.

    That is no longer the case. It is all web magazines and articles and hyperlinks with labels instead of the actual URL. So what is the point?

    --
    (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
    1. Re:Click it or, well, just click it by SumDog · · Score: 4, Informative

      The Google Maps URLs are nice because they contain the entire view you're seeing (including a place you have highlighted or directions). Those URLs get pretty massive and if you post them in a chat window, they tend to break (special characters and such). So I can see use cases there.

  3. Not a URL shortening vulnerability by Anonymous Coward · · Score: 5, Insightful

    If you want information to be private, require authentication to access it. The real problem here is that files are shared in the cloud allowing read and, sometimes, write access without requiring authentication. The default needs to be requiring authentication and then prompting the user if they want to change the permissions. Otherwise, you're relying on security through obscurity, which isn't security at all. It's too easy for URLs to end up being found through things like the clipboard and the browser history that nobody should expect them to remain secret. Don't rely on security through obscurity. It doesn't work.

    1. Re:Not a URL shortening vulnerability by justthinkit · · Score: 2

      Right. And further to that, the authors talk about a brute force scavenging of the entire database of URLs being possible because the "active bytes" at the end of the short URL are so short. Well, one could add two, or four, bytes to the end of the URL, and only use "one in every hundred numbers, determined randomly" as their algorithm, and then it wouldn't be quite so brute forceable.

      So there are _two_ implementation problems (in the case of Microsoft's 1drv.ms, and arguably one problem with the other shorteners -- no authentication being a problem at 1drv.ms where people store their private stuff, and too-short or too-efficient of an algorithm being a potential problem with the rest of the URL shorteners.

      Hmmm, wasn't this problem solved by, ah, pretty much every other system that uses a short series of numbers, like credit cards, D/L, SSN, etc.?

      --
      I come here for the love
  4. Is there any expectation of security? by shawn2772 · · Score: 4, Informative

    The goo.gl shortener says, right below the URL entry field "All goo.gl URLs and click analytics are public and can be accessed by anyone". I always figured that it was obvious you shouldn't use this sort of service for any URL that needed to be kept secret, and didn't have some additional access control behind it.

  5. Re:/. Keep logging anyone else out? by xxxJonBoyxxx · · Score: 2

    It's the government. They're on to you. It's time to execute "the plan" - wipe your disks, burn your memory and toss your phone in the ocean. Let us know how it goes.

  6. Yeah, credentials in the URI==doing it wrong by raymorris · · Score: 4, Informative

    > data protected by credentials included in the Web address

    You're doing it wrong.

    A web address, or URI, is a universal resource IDENTIFIER (or locator, for the older terminology). It specifies which data you wish to access. That's not the place for authentication to be.

    Sharing a long URL which includes your user name and password is stupid too.