A new security threat enterprises need to consider is shortened URLs. They are vulnerable to brute-force attacks...
that can reveal documents shared over the cloud. In one instance, cloud storage providers, such as Microsoft OneDrive, and mapping services, like Google Maps, used shortened URLs that were vulnerable, and revealed users' shared files and addresses, among other data. Shortened URLs have been associated with security risks in the past, primarily in social engineering attacks, where they've been used by attackers to mask malicious links in email, for example. However, the current issues around URL-shortening security represent a more significant flaw in the design of these URL-shortening services altogether.
The issues with URL shorteners
URL-shortening services work by changing URLs to a shorter, simpler string of characters associated with a particular URL. Common URL-shortening services include goo.gl (Google), bitly.com and bit.ly (Bitly), 1drv.ms (Microsoft OneDrive, since discontinued) and x.co (GoDaddy). Many URL shorteners are used to limit characters in URLs to fit more content into social media posts, such as Twitter's 140-character limit -- though, its TweetDeck application has its own URL-shortening service. However, some services have adopted shortening as a basic tactic to obfuscate data related to user accounts, queries and other sensitive information.
In April 2016, Vitaly Shmatikov of Cornell Tech and Martin Georgiev of the University of Texas at Austin discovered they could perform brute-force attacks against many different shortening services, using multiple systems to simultaneously guess shortened URL strings via native APIs or accessible link formats.
The results of their research are disconcerting, to say the least. Guessed links provided immediate and often unauthenticated access to Microsoft OneDrive accounts, with shared documents and even upload capabilities, allowing attackers to post malware directly to an account that is often synchronized with enterprise endpoints. With Google's links, the researchers were able to discover archived direction queries and addresses, revealing where targets had visited or traveled to recently, including healthcare facilities, private addresses and businesses. Aside from the obvious privacy risk associated with these types of exposure, shared storage control could easily grant an attacker a new vector of malware drops or end-user exploitation when they open malicious files on their mobile devices or other systems.
The risk to enterprises
The risk is significant for enterprises, as these types of shortened URLs are rarely monitored or blocked within network environments. Users could easily give away far more sensitive information than the security team realizes just by virtue of using shortening services, and little of this would be traceable through logs or other security events. Corporate documents stored within these services could also be exposed, depending on the authentication and authorization controls in place for the cloud storage services. Aside from personal data exposure, exposed addresses and directions might lead to physical or social engineering attacks against users, too.
To mitigate the risk, organizations should do several things immediately. First, any cloud-based services in use should be assessed to see whether they're using URL-shortening services. It's likely many are, and those in use should be scrutinized by security and operations teams: Can brute-force attacks be used against them to reveal the original data? Does the cloud service perform any logging or monitoring of these types of attacks and alert end users? Even if URL shorteners are used, this doesn't necessarily guarantee attacks against them would be successful -- any online information or account identifiers should be protected with additional authentication or other security controls.
Second, organizations can monitor outbound URL requests to determine if users are leveraging URL-shortening services and block them if the risk is considered high enough. While most URL shorteners are entirely innocuous, enterprise security teams may want to implement a policy that outlines those that are acceptable and any that aren't based on business need.
Discover how to detect shortened URLs carrying malicious links
Learn some social media best practices for CISOs
Find out more about the future of Microsoft OneDrive file sharing