Uniform Resource Locators (URLs) are the standard method for addressing Web content. URLs often grow to hundreds of characters in length. The Hypertext Transfer Protocol (HTTP) doesn't specify a limit on the length of a URL, but implementations impose various restrictions, 2048 characters in practice. Long URLs are difficult to distribute and remember (Georgiev & Shmatikov, 2016). Thus, a service called URL shortening is a technique on the World Wide Web in which a Uniform Resource Locator (URL) may be made substantially shorter in length and still direct to the required page. This is achieved by using a redirect on a domain name that is short, which links to the web page that has a long URL. For example, the URL "http://en.wikipedia.org/wiki/URL_shortening" can be shortened to “http://tinyurl.com/urlwiki" (URL shortening, n.d.).
URL shorteners provide a useful, simple, way of sharing links; however security researchers Vitaly Shmatikov and Martin Georgiev discovered that web URL shorteners operate in predictable way in which these links can disclose sensitive information. The researchers analyzed the most popular URL shorteners: services implemented by Google, Bit.ly and Microsoft. It was found that the shortened URLs can be enumerate by brute force. Their scan discovered a large number of Microsoft OneDrive accounts with private documents. Many of these accounts are unlocked and allow anyone to inject malware that will be automatically downloaded to users’ devices.
Google and Microsoft have introduced fixes to secure new shortened URL links, however old links remain vulnerable. The researchers explained that shortened URLs are predictable by combining domain names and a sequence composed of five to seven-character. The short URL and the knowledge of the generation mechanism introduces the basic vulnerabilities to brute force attacks.
The actual URLs are public and can be discovered. The scan of 100 million URLs resulted in the discovery of more than 1.1 million publicly accessible OneDrive documents including documents and executables. In their sample scan of 100,000,000 bit.ly URLs with randomly chosen 6-character tokens, 42 percent resolved to actual URLs. Of those,19,524 URLs lead to OneDrive/SkyDrive files and folders, most of them live.
The random scan of Google-shortened URLs allowed the identification of 23,965,718 links, 10 percent of them containing driving directions to sensitive locations including disease, abortion clinics, and strip clubs (Paganini, 2016). The researchers suggested five approaches to mitigate the vulnerability: make short URLs longer, inform users about the risks of URL shorteners, do not rely on universal URL shorteners, employ CAPTCHAs or other methods to separate human users from automated scanners, and design better APIs for the cloud services that use short URLs.
References:
Georgiev, M., & Shmatikov, V. (2016, April 10). Gone in Six Characters: Short URLs Considered Harmful for Cloud Services. Retrieved April 17, 2016, from http://arxiv.org/pdf/1604.02734v1.pdf
URL shortening. (n.d.). Retrieved April 17, 2016, from https://en.wikipedia.org/wiki/URL_shortening
Paganini, P. (2016). Watch out! URL shorteners could leak sensitive content. Retrieved April 17, 2016, from http://securityaffairs.co/wordpress/46377/hacking/url-shorteners-flaws.html?utm_medium=email
No comments:
Post a Comment