TL;DR: short URLs produced by bit.ly, goo.gl, and similar services are so short that they can be scanned by brute force. Our scan discovered a large number of Microsoft OneDrive accounts with private documents. Many of these accounts are unlocked and allow anyone to inject malware that will be automatically downloaded to users’ devices. We also discovered many driving directions that reveal sensitive information for identifiable individuals, including their visits to specialized medical facilities, prisons, and adult establishments.
The Freedom to Tinker Foundation has just released a study it compiled over the last 18 months — one in which it scanned thousands of shortened URLs and discovered what they unintentionally revealed. Microsoft’s OneDrive — which uses link-shortening — could be made to reveal documents uploaders never intended to share with the public. Worse, Freedom to Tinker discovered a small percentage of brute-forced URLs linked to documents with “write” privileges enabled.
Around 7% of the OneDrive folders discovered in this fashion allow writing. This means that anyone who randomly scans bit.ly URLs will find thousands of unlocked OneDrive folders and can modify existing files in them or upload arbitrary content, potentially including malware.
And, because Microsoft’s automatic virus/malware scanning for OneDrive contents is less than robust, it wouldn’t take much for any random person to wreak havoc on any number of devices with access to those contents.
OneDrive “synchronizes” account contents across the user’s OneDrive clients. Therefore, the injected malware will be automatically downloaded to all of the user’s machines and devices running OneDrive.
Fortunately for OneDrive users, the scanning method deployed by FTTF no longer works as of March 2016. But this doesn’t necessarily mean the accounts are completely secure — just that one avenue for attack/access has been closed.
Just as disturbing — but for different reasons — is the automatic link shortening tied to Google Maps. The links could be manipulated to discover all sorts of inferential information about people’s private activities… or at least the activities they never thought they were sharing with the world. The directions and searches uncovered by FTTF’s scanning activity potentially reveal plenty of sensitive information about Google Maps users.
Our sample random scan of these URLs yielded 23,965,718 live links, of which 10% were for maps with driving directions. These include directions to and from many sensitive locations: clinics for specific diseases (including cancer and mental diseases), addiction treatment centers, abortion providers, correctional and juvenile detention facilities, payday and car-title lenders, gentlemen’s clubs, etc. The endpoints of driving directions often contain enough information (e.g., addresses of single-family residences) to uniquely identify the individuals who requested the directions. For instance, when analyzing one such endpoint, we uncovered the address, full name, and age of a young woman who shared directions to a planned parenthood facility.
The same privacy concerns associated with the indiscriminate use of automatic license plate readers by law enforcement and warrantless access to cell site location info are present here: the reconstruction of people’s lives via the “tracking” of their movements. In this case, however, the information generated is more “voluntary” than either of the other listed collections, which are far more passive than searching for directions using a web service provided by a company with an unquenchable thirst for data.
The good news is that the method deployed for the report no longer works for Google Maps-shortened links. But, once again, that does not mean the problems with link shorteners have been eliminated. FTTF points out that the March 2016 change by Microsoft (which claims it had nothing to do with FTTF reporting the vulnerability to it) only affects links generated after that date. Any previous short URLs are still vulnerable to traversal scans.
Google, however, did make a more of a serious attempt to prevent abuse of its shortened links.
All newly generated goo.gl/maps URLs have 11- or 12-character tokens, and Google deployed defenses to limit the scanning of the existing URLs.
While this news should be of concern to users of these services, it definitely has to be great news for law enforcement and intelligence agencies. So much for “going dark.” Vulnerabilities in web services apparently provide access to otherwise “locked” cloud storage contents and Google Maps — at least until it was fixed — generating tons of location data for the taking.
It’s also worth pointing out that the method used by Freedom to Tinker to complile this report is basically the same methodused by Andrew “Weev” Auernheimer to expose AT&T users’ email addresses: altering URLs to uncover data presumed to be hidden. Of course, AT&T’s vindictiveness resulted in a 3.5 year prison sentence for Auernheimer. No legal threats have been made towards FTTF, but the sad thing is that security research is inherently risky, as you can never tell whether the entity affected will respond with a bug fix or a police report — not until after they’ve been informed.