Gone in Six Characters
April 13, 2016 9:04 AM Subscribe
Gone in Six Characters: Short URLs Considered Harmful for Cloud Services [abstract] [pdf]
In this paper, we demonstrate that the space of 5- and 6-character tokens included in short URLs is so small that it can be scanned using brute-force search. Therefore, all online resources that were intended to be shared with a few trusted friends or collaborators are effectively public and can be accessed by anyone. This leads to serious security and privacy vulnerabilities.
In the case of cloud storage, we focus on Microsoft OneDrive. We show how to use short-URL enumeration to discover and read shared content stored in the OneDrive cloud, including even files for which the user did not generate a short URL. 7% of the OneDrive accounts exposed in this fashion allow anyone to write into them. Since cloud-stored files are automatically copied into users’ personal computers and devices, this is a vector for large-scale, automated malware injection.
This thread has been archived and is closed to new comments