Microsoft's OneDrive short URLs pointed attackers right at your private files

Short URLs might be useful for sharing links with contacts, but they can also leak private information, researchers find.
Written by Liam Tung, Contributing Writer

Microsoft in March removed the ability to generate short URLs for sharing in OneDrive.

Image: Microsoft

Researchers have found that shortened URLs from cloud services can also be abused by attackers to locate private resources, such as files or even driving directions to medical appointments.

Researchers from Cornell Tech university have published a paper demonstrating serious privacy risks from using short URLs in cloud services such as Microsoft's OneDrive and Google Maps.

The chief problem with short URLs is that the tokens they include, at six or seven characters in length, are small enough for an attacker to guess the true URL of the files being shared. Therefore a URL can be accessed by anyone on the web, not just the contacts it's been shared with.

Worse still, because cloud services often sync files from the cloud to a user's computer, a short URL for one file can lead an attacker to all the other files owned by a user.

The researchers also found with some of the accounts identified through this method that they could inject malware into them.

The same flaws were discovered in URL-shortening services used for Microsoft's OneDrive, Google Drive, Google Maps and Bing Maps.

Microsoft in March removed the ability to generate short URLs for sharing in OneDrive. However, according to the researchers, the company has denied removing the feature due to an early vulnerability report from them. The researchers first reported the issued to Microsoft in May last year.

They notified Google of the information leakage from Maps' short URLs in September. Within a week of the report, Google boosted the size of its short URL tokens to 11 or 12 characters, which are less easy to guess.

In the case of Maps, they found that short URLs could reveal the locations shared between contacts, as well as directions, often from a residential address to hospitals, physicians associated with specific diseases or procedures, such as abortion, and correctional facilities.

As noted by Softpedia, while exploring OneDrive short URLs for leakages, the researchers scanned 100 million six-character URLs. They were able to track down nearly 20,000 real URLs that led to OneDrive folders.

Another scan for seven-character OneDrive short URLs revealed over one million documents open on the web.

Read more on cloud and security

Editorial standards