Gone In Six Characters: Short URLs Considered Harmful for Cloud Services (Freedom to Tinker)
Gone In Six Characters: Short URLs Considered Harmful for Cloud Services (Freedom to Tinker)
Posted Apr 15, 2016 6:51 UTC (Fri) by epa (subscriber, #39769)In reply to: Gone In Six Characters: Short URLs Considered Harmful for Cloud Services (Freedom to Tinker) by noahm
Parent article: Gone In Six Characters: Short URLs Considered Harmful for Cloud Services (Freedom to Tinker)
If you have sensitive information to protect, don't rely on others not being able to guess the URI; protect it with a password or other authentication mechanism instead.
Posted Apr 15, 2016 7:26 UTC (Fri)
by tao (subscriber, #17563)
[Link]
Posted Apr 15, 2016 7:28 UTC (Fri)
by DOT (subscriber, #58786)
[Link] (2 responses)
Posted Apr 15, 2016 9:06 UTC (Fri)
by epa (subscriber, #39769)
[Link] (1 responses)
A longer URI would be harder to find by brute force, but that is only a sticking plaster for the problem, since it will still turn up in Referer: headers and so on.
That said, it is certainly true that the insecure approach is usually the more convenient one, and passing around URIs which don't require any further login details is always going to beat any other approach in convenience. So a sticking plaster may be the best we can do at the moment. If everyone in the world had a Google account then it would be trivial to 'share these driving directions with the following users...' but, thank goodness, the world is more messy than that.
Posted Apr 15, 2016 11:10 UTC (Fri)
by alonz (subscriber, #815)
[Link]
And there is good reason for this practice—it enables the photo owner to share it with friends without them having to sign in. So sure, it's limited (if the URI leaks, it's usable by anyone) but it is a valid trade-off.
Posted Apr 15, 2016 10:43 UTC (Fri)
by niner (subscriber, #26151)
[Link] (3 responses)
Posted Apr 15, 2016 11:25 UTC (Fri)
by NAR (subscriber, #1313)
[Link] (2 responses)
What I don't quite understand is how do they know who created that map?
Posted Apr 15, 2016 19:33 UTC (Fri)
by cwitty (guest, #4600)
[Link] (1 responses)
If you're talking about the geocacher map, the researchers created the map as a summary of hundreds of sets of driving directions, all starting at one particular residential address. So it seems reasonable to assume that the person who requested all of those driving directions lives at that address.
Posted Apr 17, 2016 20:41 UTC (Sun)
by pr1268 (guest, #24648)
[Link]
Either that, or the researchers stumbled upon someone's malicious prank to inundate said address with dozens of unwanted visitors. Okay, I'm being a little facetious here, but it could happen!
Gone In Six Characters: Short URLs Considered Harmful for Cloud Services (Freedom to Tinker)
Gone In Six Characters: Short URLs Considered Harmful for Cloud Services (Freedom to Tinker)
Gone In Six Characters: Short URLs Considered Harmful for Cloud Services (Freedom to Tinker)
It actually is quite common to have a URI act as a password: just look e.g. at the URIs for Google photos.
Gone In Six Characters: Short URLs Considered Harmful for Cloud Services (Freedom to Tinker)
Gone In Six Characters: Short URLs Considered Harmful for Cloud Services (Freedom to Tinker)
Gone In Six Characters: Short URLs Considered Harmful for Cloud Services (Freedom to Tinker)
Gone In Six Characters: Short URLs Considered Harmful for Cloud Services (Freedom to Tinker)
Gone In Six Characters: Short URLs Considered Harmful for Cloud Services (Freedom to Tinker)
So it seems reasonable to assume that the person who requested all of those driving directions lives at that address.