There are issues with the way Google and Microsoft implemented their URL shortening services, researchers said.
According to research carried out over 18 months, Martin Georgiev, an independent security researcher, and Vitaly Shmatikov, a professor at Cornell Tech, found that most URL shortening services employ short random character tokens, which attackers can break with brute-force attacks.
This type of attack allows a third-party to scan massive batches of random shortened URLs, revealing the long URLs behind, which in some cases may link to unprotected private files holding sensitive or corporate information.
As part of their study, the researchers carried out a series of automated scans. They first started with Microsoft’s 1drv.com, used to automatically produce short URLs for documents stored in the company’s OneDrive service.
This is actually a Bit.ly service in disguise, and researchers found it incredibly easy to brute-force its small 6-character URLs. During scans of 100 million 1drv.com short URLs, researchers discovered that 42 percent were valid links, leading to actual URLs, of which 19,524 led back to OneDrive folders or URLs.
In the case of these latter URLs, researchers were also able to extract the user’s ID and account authentication key from the link itself, which later allowed them to escalate their attack by accessing other files on the same account.
Because of this second privacy leak they discovered, researchers re-ran their tests, but this time, they also scanned the long URL’s source code for other OneDrive links, exposing an additional 227,276 publicly accessible OneDrive documents.
Researchers ran their test for a third time as well, but in this case, they scanned for 1drv.com 7-character short URLs, discovering 1,105,146 publicly accessible OneDrive documents in another 100 million random URL scan.
Overall, 7 percent of all the unmasked OneDrive folders allowed third-parties to write data to them. An attacker could very easily upload malware to those folders and have it automatically synced to the devices connected to that account.
The same tests ended up used on goo.gl short URLs, employed by the Google Maps service.
Researchers said one random scan of the 5-character-long scheme used by Google for Google Maps short URLs revealed links to 23,965,718 live maps, of which ten percent contained driving instructions.
While there was no sensitive data about the account’s owner, the details could end up used to find out information about each subject, like their daily habits and clues about their real identity. Common driving routes could reveal the person’s home or work address, for example.
Looking at some of these driving directions, researchers found sensitive locations that most people would probably like to keep private.
The quickest to patch these flaws was Google, which enhanced the goo.gl’s short URL scheme from five random characters to eleven and twelve. This happened in September 2015.
Google’s engineers also took precautions to limit automated scans so this information would not be easily obtainable by an attacker.
That was Google, Microsoft, on the other hand, is a different story, the researchers said.
They said they contacted Microsoft, but the company failed to acknowledge this as a “security” problem, to begin with.
Nevertheless, in March, nine months after the researchers contacted the company, the OneDrive URL shortening feature ended up removed for users. Old URLs still exist, though, and attackers can still exploit them. Contacted by the researchers, Microsoft denied their initial report had anything to do with their decision.
The researchers’ full findings are available online as the “Gone In Six Characters: Short URLs Considered Harmful for Cloud Services” research paper.