Microsoft's OneDrive short URLs pointed attackers right at your private files
Researchers have found that shortened URLs from cloud services can also be abused by attackers to locate private resources, such as files or even driving directions to medical appointments.
Researchers from Cornell Tech university have published a paper demonstrating serious privacy risks from using short URLs in cloud services such as Microsoft's OneDrive and Google Maps.
The chief problem with short URLs is that the tokens they include, at six or seven characters in length, are small enough for an attacker to guess the true URL of the files being shared. Therefore a URL can be accessed by anyone on the web, not just the contacts it's been shared with.
Worse still, because cloud services often sync files from the cloud to a user's computer, a short URL for one file can lead an attacker to all the other files owned by a user.
The researchers also found with some of the accounts identified through this method that they could inject malware into them.
The same flaws were discovered in URL-shortening services used for Microsoft's OneDrive, Google Drive, Google Maps and Bing Maps.
Microsoft in March removed the ability to generate short URLs for sharing in OneDrive. However, according to the researchers, the company has denied removing the feature due to an early vulnerability report from them. The researchers first reported the issued to Microsoft in May last year.
They notified Google of the information leakage from Maps' short URLs in September. Within a week of the report, Google boosted the size of its short URL tokens to 11 or 12 characters, which are less easy to guess.
In the case of Maps, they found that short URLs could reveal the locations shared between contacts, as well as directions, often from a residential address to hospitals, physicians associated with specific diseases or procedures, such as abortion, and correctional facilities.
As noted by Softpedia, while exploring OneDrive short URLs for leakages, the researchers scanned 100 million six-character URLs. They were able to track down nearly 20,000 real URLs that led to OneDrive folders.
Another scan for seven-character OneDrive short URLs revealed over one million documents open on the web.
Read more on cloud and security
- Microsoft updates its OneDrive for Business roadmap
- Microsoft OneDrive for Business to get SharePoint document sync by year-end 2016
- Ed Bott's Weekly Wrap: OneDrive's apology, iOS and Chrome enterprise bugs, Live Writer returns
- Adobe patches Creative Cloud desktop in new security update
- Microsoft makes Cloud App Security service generally available
- Security startup Illumio raises $100m, extends Adaptive Security Platform
- HPE bulks up security offerings for mobile, cloud and IoT