Guess My Shared Link

Link sharing is a common way to share files to unauthenticated users via publicly-accessible shared URLs.
Have you ever wondered how secure link sharing is?

by Isaak Mtizwa, Published on 28. October 2024 4 min Reading time

Guess My Secret Link

This Post was written by Gaiëtan Renault.

Link sharing is a common way to share files to unauthenticated users via publicly-accessible shared URLs. Have you ever wondered how secure link sharing is?

Let us consider the following URL formatted as follow https://example.com/{valid token} that redirects to some sensitive web page content for different valid token strings. The valid tokens are generally randomly produced by the server using a hash function and should be hard to guess from an external party.

The question is then, by brute-forcing different tokens in this URL, can an attacker find a {valid token} and leak some sensitive information? More precisely, what is the probability to find, after n distinct trials, at least one valid URL given that there are k valid and distinct URLs and their associated secret tokens are hex strings of length l and are all distinct and uniformly distributed?

Let us define, Surl, the set of all possible URLs of the form https://example.com/{token}, where token is any hex strings of length l. From this, we can build a subset Sshared links (see Fig. 1), the set of all valid URLs of the form https://example.com/{valid token}, where valid token is a hex strings of length l such that https://example.com/{valid token} redirects to some sensitive information.

Let us define the random variables sequence (Xi : i ∈ {1, …, k}) as the sequence of the URLs drawn from Surl after k uniformly random picks without replacement. We can then compute the probability as:

As a side note, the result obtained in Eq. 1, can be obtained from the Hyper Geometric Cumulative Distribution Function (CDF):

Now, let us get a real-world scenario and compute this probability using a python script (see Script 3). Microsoft OneDrive lets you share files or folders (with specific access permission) through link sharing.

It produces a URL made of a unique id of length 46 and from a set made of all capital and non capital letters, numbers, dash and underscore i.e. {a − z,A − Z, 1 − 9,−, }.

We will assume the following estimations:

1. Brute-force malicious attacker makes 10, 000 requests per second and tries for one entire week. This is a large upper estimation, this represents roughly 1 TB of HTTP data traffic.

2. There are about |Sshared links| := 108 different shared links generated from Surl where |Surl| = (26 ∗ 2+ 10 + 2)^46

We obtain a probability of 4.9∗10−66. As one can see, from a probability risk-analysis approach, the event is very unlikely to happen and we are pretty safe on this side. To put it into perspective, this probability is roughly comparable to picking a specific atom out of all the atoms in our Galaxy (≈ 10^68).

In a real-case scenario different things can however go wrong and here is a non-exhaustive list:

1. Lack of SSL encryption when accessing the shared link. This leads to leakage of the accessed URL via eavesdropping. Nowadays, most of the connections are secured by SSL, and URLs are thus encrypted.

2. Token easily guessable (e.g. token is produced by a simple iterator;
https://example.com/0000,
https://example.com/0001, etc)

3. Poor quality or poorly implemented token random generator. E.g. See Blog post from crazycontini for more details on this.

4. The shared link (or token) can be leaked. E.g. from crawling bots, from Referer Header, from web logs, from browser history & addons & cache, or from shoulder surfing.

5. Most often, link sharing lacks of accountability, e.g. it suffers from lack of expiry date or access logs features.

6. Any vulnerability with path enumeration capability on the web server will leak all the external links.

References

Crazycontini. Cautionary note: UUIDs generally do not meet security requirements.

https://littlemaninmyhead.wordpress.com/2015/11/22/cautionary-note-uuids-should-generally-not-be-used-for-authentication-tokens/

Stay up to date with our newsletter!

Looking for bug bounty news, hacker portraits, corporate success stories? Stay up to date with our newsletter!

We'll help you, let's chat about how!

Let's meet for a virtual coffee. Via calendly you can book yourself directly into our calendar. Try it out.

Schedule meeting