Short URLs expose cloud security holes

Cloud security

We've discussed some of the issues associated with cloud security previously. Many companies store confidential documents in the cloud, often unknown to companies themselves. Individuals simply use cloud-based services for collaboration because they are convenient.

Recently, a new security issue for cloud-based services has been flagged, this time to do with short URLs.

What are short URLs?

Short URLs can be extremely useful for sharing links, especially on mediums like Twitter that have a limited number of characters available. They also makes long URLs much easier to type, avoiding errors. Short URLs are often used by cloud-based services such as Microsoft's OneDrive for sharing documents. They are convenient, but they have some implications for cloud security.

Short URLs work by HTTP redirection - the short URL is for the service provider, and it redirects the request to the correct destination. Bitly, Google, and TinyURL are just some of the URL-shortening services available.

Disadvantages of short URLs

There are some disadvantages with using short URLs, however. One is the risk of abuse by spammers - short URLs can be used to disguise links to distasteful or illegal content. URL-shortening services have to put measures in place to delete links to spammer sites to preserve the integrity of their services.

Another disadvantage is the lifetime of the URL. Most services promise permanent URLs, but this is dependent on the service prospering.

Recently, however, another disadvantage has become apparent - this time to do with cloud security.

Cloud security exposed

Cloud services such as Microsoft's OneDrive typically offers to generate a short URL when a document is shared.

But there is a security issue when a popular cloud-based service uses short URLs. If there are not many characters in the short URL (which is the whole idea), then it doesn't take too much computer power to iterate over the entire short URL namespace. Each generated short URL can be checked to see if it points to a valid OneDrive URL.

In cloud-based services, it is common for private documents to be inadvertently permissioned for public access. The only protection is that the cloud-based URLs are long and not easy to guess. Short URLs remove this protection (such as it is). This type of security by obscurity is never very robust, and short URLs expose its shortcomings for cloud services.

Some researchers have recently published their findings on this issue. Their work shows how easy it is to find private cloud-based documents. They also discuss the implications for Google Maps.

The real issue, of course, is not URL shortening, but relying on security by obscurity for cloud-based URLs. URL shortening simply exposes the issue more starkly.

If you are using the cloud for confidential documents, make sure that the appropriate permissions are set. It's always best to check using your browser's private mode to ensure anonymous access isn't permitted to your documents.

Posted by John Faulds in