Abstract
Online collaboration services (OCS) are appealing since they provide ease of access to resources and the ability to collaborate on shared files. Documents on these services are frequently shared via secret links, which allows easy collaboration between different users. The security of this secret link approach relies on the fact that only those who know the location of the secret resource (i.e., its URL) can access it. In this paper, we show that the secret location of OCS files can be leaked by the improper handling of links embedded in these files. Specifically, if a user clicks on a link embedded into a file hosted on an OCS, the HTTP Referer contained in the resulting HTTP request might leak the secret URL. We present a study of 21 online collaboration services and show that seven of them are vulnerable to this kind of secret information disclosure caused by the improper handling of embedded links and HTTP Referers. We identify two root causes of these issues, both having to do with an incorrect application of the Referrer Policy, a countermeasure designed to restrict how HTTP Referers are shared with third parties. In the first case, six services leak their referrers because they do not implement a strict enough and up-to-date policy. In the second case, one service correctly implements an appropriate Referrer Policy, but some web browsers do not obey it, causing links clicked through them to leak their HTTP Referers. To fix this problem, we discuss how services can apply the Referrer Policy correctly to avoid these incidents, as well as other server and client side countermeasures.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Ruled out services are: prezi.com, uploaded.net, 4shared.com, 1fichier.com, filerio.io, filefactory.com, bibsonomy.org, adrive.com, drivehq.com, clickability.com, filesany-where.com, livedrive.com, smartfile.com, elephantdrive.com, mydocsonline.com, www.jungledisk.com, kontainer.com, mozy.com, exavault.com, thinkfree.com, cryptoheaven.com, powerfolder.com, filesave.me, crocko.com, cloudsafe.com, true- share.com, diino.com, filehostname.com, file-works.com, wonderfile.net, classlink.com, signiant.com, fileflow.com, bluejeans.com, dropsend.com, high-tail.com, justcloud.com, sugarsync.com, idrive.com, sharepoint.com, transfer-now.com, deliveryslip.com, mango.com, ionos.com, mediafire.com, tresorit.com, sync.com.
- 2.
The endpoint for this sanitation has the representative name of https://www.dropbox.com/referrer_cleansing_redirect.
References
Alexa top lists. https://www.alexa.com/topsites/category/Top/Computers/Internet/On_the_Web/Web_Applications/Storage. Accessed 09 Feb 2019
Can i use support tables for html5, css3, etc
caniuse.com rel-noreferrer. https://caniuse.com/#feat=rel-noreferrer. Accessed 09 Feb 2019
mathiasbynens.github.io rel-noopener. https://mathiasbynens.github.io/rel-noopener/. Accessed 09 Feb 2019
PDF.js. https://mozilla.github.io/pdf.js/. Accessed 09 Feb 2019
Referer control. https://chrome.google.com/webstore/detail/referer-control/hnkcfpcejkafcihlgbojoidoihckciin. Accessed 09 Feb 2019
Scriptsafe. https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf. Accessed 09 Feb 2019
W3C Candidate Recommendation referrer policy. https://www.w3.org/TR/referrer-policy/. Accessed 09 Feb 2019
WHATWG link type. https://html.spec.whatwg.org/multipage/links.html#link-type-noreferrer. Accessed 09 Feb 2019
Referer control by keepa.com, March 2017. https://addons.mozilla.org/en-US/firefox/addon/referercontrol/. Accessed 09 Feb 2019
Andersdotter, A., Jensen-Urstad, A.: Evaluating websites and their adherence to data protection principles: tools and experiences. In: Lehmann, A., Whitehouse, D., Fischer-Hübner, S., Fritsch, L., Raab, C. (eds.) Privacy and Identity 2016. IAICT, vol. 498, pp. 39–51. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-55783-0_4
Antonellis, I., Garcia-Molina, H., Karim, J.: Tagging with queries: how and why? In: ACM International Conference on Web Search and Data Mining (WSDM), Barcelona, Spain, p. 4, February 2009
Antoniades, D., Markatos, E.P., Dovrolis, C.: One-click hosting services: a file-sharing hideout. In: ACM SIGCOMM Internet Measurement Conference (IMC), Chicago, Illinois, USA, p. 223, ACM Press (2009)
Argyriou, M., Dragoni, N., Spognardi, A.: Security flows in OAuth 2.0 framework: a case study. In: Tonetta, S., Schoitsch, E., Bitsch, F. (eds.) SAFECOMP 2017. LNCS, vol. 10489, pp. 396–406. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66284-8_33
Balduzzi, M., Platzer, C., Holz, T., Kirda, E., Balzarotti, D., Kruegel, C.: Abusing social networks for automated user profiling. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 422–441. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15512-3_22
Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: ACM Conference on Computer and Communications Security (CCS), Alexandria, Virginia, USA, p. 75. ACM Press (2008)
Dolnak, I.: Implementation of referrer policy in order to control HTTP Referer header privacy. In: 2017 15th International Conference on Emerging eLearning Technologies and Applications (ICETA) (2017)
Ibosiola, D., Steer, B., Garcia-Recuero, A., Stringhini, G., Uhlig, S., Tyson, G.: Movie pirates of the Caribbean: exploring illegal streaming cyberlockers. In: International AAAI Conference on Web and Social Media (ICWSM), Stanford, CA, p. 10 (2018)
IETF Network Working Group. Hypertext transfer protocol - http/1.1. https://tools.ietf.org/html/rfc2616#page-140
Invernizzi, L., Thomas, K., Kapravelos, A., Comanescu, O., Picod, J.-M., Bursztein, E.: Cloak of visibility: detecting when machines browse a different web. In: 2016 IEEE Symposium on Security and Privacy (SP) (2016)
Jelveh, Z., Ross, K.: Profiting from filesharing: a measurement study of economic incentives in cyberlockers. In: IEEE International Conference on Peer-to-Peer Computing (P2P), Tarragona, Spain, pp. 57–62. IEEE, September 2012
Krishnamurthy, B., Wills, C.E.: Cat and mouse: content delivery tradeoffs in web access. In: International Conference on World Wide Web (WWW), Edinburgh, Scotland, p. 337. ACM Press (2006)
Krishnamurthy, B., Wills, C.E.: Generating a privacy footprint on the internet. In: ACM SIGCOMM on Internet Measurement (IMC), Rio de Janeriro, Brazil, p. 65. ACM Press (2006)
Kushmerick, N., McKee, J., Toolan, F.: Towards zero-input personalization: referrer-based page prediction. In: Brusilovsky, P., Stock, O., Strapparava, C. (eds.) AH 2000. LNCS, vol. 1892, pp. 133–143. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44595-1_13
Lauinger, T., Onarlioglu, K., Chaabane, A., Kirda, E., Robertson, W., Kaafar, M.A.: Holiday pictures or blockbuster movies? Insights into copyright infringement in user uploads to one-click file hosters. In: Stolfo, S.J., Stavrou, A., Wright, C.V. (eds.) RAID 2013. LNCS, vol. 8145, pp. 369–389. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-41284-4_19
Lavrenovs, A., Melon, F.J.R.: Http security headers analysis of top one million websites. In: 2018 10th International Conference on Cyber Conflict (CyCon) (2018)
Lazarov, M., Onaolapo, J., Stringhini, G.: Honey sheets: what happens to leaked Google spreadsheets? In: Proceedings of the 9th USENIX Conference on Cyber Security Experimentation and Test (CSET 2016), Austin, TX, p. 8 (2016)
Li, W. Mitchell, C.J., Chen, T.: Mitigating CSRF attacks on OAuth 2.0 systems. In: 2018 16th Annual Conference on Privacy, Security and Trust (PST) (2018)
Nikiforakis, N., Balduzzi, M., Acker, S.V., Joosen, W., Balzarotti, D.: Exposing the lack of privacy in file hosting services. In: USENIX Conference on Large-Scale Exploits and Emergent Threats, p. 8, March 2011
Nikiforakis, N., Van Acker, S., Piessens, F., Joosen, W.: Exploring the ecosystem of referrer-anonymizing services. In: Fischer-Hübner, S., Wright, M. (eds.) PETS 2012. LNCS, vol. 7384, pp. 259–278. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31680-7_14
Onaolapo, J., Lazarov, M., Stringhini, G.: Master of sheets: a tale of compromised cloud documents. In: Proceedings of the Workshop on Attackers and Cyber-Crime Operations (WACCO), Goteborg, Sweden (2019)
Wang, D.Y., Savage, S., Voelker, G.M.: Cloak and dagger. In: Proceedings of the 18th ACM Conference on Computer and Communications Security - CCS 2011 (2011)
Wondracek, G., Holz, T., Kirda, E., Kruegel, C.: A practical attack to de-anonymize social network users. In: IEEE Symposium on Security and Privacy, Oakland, CA, USA. IEEE (2010)
Wu, B., Davison, B.D.: Detecting semantic cloaking on the web. In: Proceedings of the 15th International Conference on World Wide Web - WWW 2006 (2006)
Zheng, G., Peltsverger, S.: Web Analytics Overview, 3rd edn., pp. 7674–7683. IGI Global, Hershey (2015). Encyclopedia of Information Science and Technology
Acknowledgements
This work was partially funded by the Office of Naval Research under grants N00014-17-1-2541 and N00014-17-1-2011. We would like to thank the anonymous reviewers for their insightful feedback which helped us improve the final version of our paper.
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Kaleli, B., Egele, M., Stringhini, G. (2019). On the Perils of Leaking Referrers in Online Collaboration Services. In: Perdisci, R., Maurice, C., Giacinto, G., Almgren, M. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2019. Lecture Notes in Computer Science(), vol 11543. Springer, Cham. https://doi.org/10.1007/978-3-030-22038-9_4
Download citation
DOI: https://doi.org/10.1007/978-3-030-22038-9_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-22037-2
Online ISBN: 978-3-030-22038-9
eBook Packages: Computer ScienceComputer Science (R0)