Researchers uncover private data leaks in goo.gl, 1drv.com

Apr 15, 2016 10:55 GMT  ·  By

Martin Georgiev, an independent security researcher, and Vitaly Shmatikov, a professor at Cornell Tech, have discovered issues with the way both Google and Microsoft implemented their URL shortening services.

According to research carried out over 18 months, the two have found that most URL shortening services employ short random character tokens, which attackers can break with brute-force attacks.

This type of attack allows a third-party to scan massive batches of random shortened URLs, revealing the long URLs behind, which in some cases may link to unprotected private files holding sensitive or corporate information.

The Microsoft "1drv.com" tests

As part of their study, the researchers carried out a series of automated scans. They first started with Microsoft's 1drv.com, which is used to automatically produce short URLs for documents stored in the company's OneDrive service.

This is actually a Bit.ly service in disguise, and researchers found it incredibly easy to brute-force its small 6-character URLs. During scans of 100 million 1drv.com short URLs, researchers discovered that 42 percent were valid links, leading to actual URLs, of which 19,524 led back to OneDrive folders or URLs.

In the case of these latter URLs, researchers were also able to extract the user's ID and account authentication key from the link itself, which later allowed them to escalate their attack by accessing other files on the same account.

Because of this second privacy leak they discovered, researchers re-ran their tests, but this time, they also scanned the long URL's source code for other OneDrive links, exposing an additional 227,276 publicly accessible OneDrive documents.

Researchers ran their test for a third time as well, but in this case, they scanned for 1drv.com 7-character short URLs, discovering 1,105,146 publicly accessible OneDrive documents in another 100 million random URL scan.

Overall, 7 percent of all the unmasked OneDrive folders allowed third-parties to write data to them. An attacker could very easily upload malware to those folders and have it automatically synced to the devices connected to that account.

The Google "goo.gl" tests

The same tests were also carried out against goo.gl short URLs, employed by the Google Maps service.

Researchers say that one random scan of the 5-character-long scheme used by Google for Google Maps short URLs revealed links to 23,965,718 live maps, of which ten percent contained driving instructions.

While no sensitive data about the account's owner was included, the details could be used to infer interesting information about each subject, like their daily habits and clues about their real identity. Common driving routes could reveal the person's home or work address, for example.

Looking at some of these driving directions, researchers found a slew of sensitive locations that most people would probably like to keep private. These GPS coordinates or addresses were for various healthcare units (cancer, mental diseases, abortion centers, addiction treatment, etc.), correctional and juvenile detention facilities, payday and car-title lenders, gentlemen’s clubs, and so on.

How Google and Microsoft dealt with this problem

The quickest to patch these flaws was Google, who, once it found out, enhanced the goo.gl's short URL scheme from five random characters to eleven and twelve. This happened around September 2015.

Google's engineers also took precautions to limit automated scans so that this information would not be so easily obtainable by an attacker.

On the other hand, researchers claim they were unsatisfied with the way Microsoft fixed their issue. Researchers say that they contacted Microsoft, but the company failed to acknowledge this as a "security" problem, to begin with.

Nevertheless, in March 2016, nine months after the researchers contacted the company, the OneDrive URL shortening feature was removed for users. Old URLs still exist, though, and attackers can still exploit them. Contacted by the researchers, Microsoft denied that their initial report had anything to do with their decision.

The researchers' full findings are available online as the Gone In Six Characters: Short URLs Considered Harmful for Cloud Services research paper.

This type of research is not new in any way or form, as something similar was published last summer by Shubham Shah and Christina Camilleri. During their tests, the two used Bit.ly as a testbed for their research.