Gone in Six Characters: Short URLs Considered Harmful for Cloud Services

TL;DR

This paper reveals that short URLs used in cloud services are vulnerable to brute-force attacks, exposing private data, files, and sensitive information, thus posing significant security and privacy risks.

Contribution

It demonstrates the feasibility of brute-force enumeration of 5-6 character short URLs, exposing security flaws in popular cloud services like OneDrive and Google Maps.

Findings

7% of OneDrive accounts are writable via URL enumeration

Short URLs can be brute-forced to access private files and data

Enumeration reveals sensitive user locations and shared content

Abstract

Modern cloud services are designed to encourage and support collaboration. To help users share links to online documents, maps, etc., several services, including cloud storage providers such as Microsoft OneDrive and mapping services such as Google Maps, directly integrate URL shorteners that convert long, unwieldy URLs into short URLs, consisting of a domain such as 1drv.ms or goo.gl and a short token. In this paper, we demonstrate that the space of 5- and 6-character tokens included in short URLs is so small that it can be scanned using brute-force search. Therefore, all online resources that were intended to be shared with a few trusted friends or collaborators are effectively public and can be accessed by anyone. This leads to serious security and privacy vulnerabilities. In the case of cloud storage, we focus on Microsoft OneDrive. We show how to use short-URL enumeration to discover and read shared content stored in the OneDrive cloud, including even files for which the user did not generate a short URL. 7% of the OneDrive accounts exposed in this fashion allow anyone to write into them. Since cloud-stored files are automatically copied into users' personal computers and devices, this is a vector for large-scale, automated malware injection. In the case of online maps, we show how short-URL enumeration reveals the directions that users shared with each other. For many individual users, this enables inference of their residential addresses, true identities, and extremely sensitive locations they visited that, if publicly revealed, would violate medical and financial privacy.