Top

Published in:

2019 | OriginalPaper | Chapter

On the Perils of Leaking Referrers in Online Collaboration Services

Authors : Beliz Kaleli, Manuel Egele, Gianluca Stringhini

Published in: Detection of Intrusions and Malware, and Vulnerability Assessment

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Online collaboration services (OCS) are appealing since they provide ease of access to resources and the ability to collaborate on shared files. Documents on these services are frequently shared via secret links, which allows easy collaboration between different users. The security of this secret link approach relies on the fact that only those who know the location of the secret resource (i.e., its URL) can access it. In this paper, we show that the secret location of OCS files can be leaked by the improper handling of links embedded in these files. Specifically, if a user clicks on a link embedded into a file hosted on an OCS, the HTTP Referer contained in the resulting HTTP request might leak the secret URL. We present a study of 21 online collaboration services and show that seven of them are vulnerable to this kind of secret information disclosure caused by the improper handling of embedded links and HTTP Referers. We identify two root causes of these issues, both having to do with an incorrect application of the Referrer Policy, a countermeasure designed to restrict how HTTP Referers are shared with third parties. In the first case, six services leak their referrers because they do not implement a strict enough and up-to-date policy. In the second case, one service correctly implements an appropriate Referrer Policy, but some web browsers do not obey it, causing links clicked through them to leak their HTTP Referers. To fix this problem, we discuss how services can apply the Referrer Policy correctly to avoid these incidents, as well as other server and client side countermeasures.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter Morellian Analysis for Browsers: Making Web Authentication Stronger with Canvas Fingerprinting

next chapter Detecting, Fingerprinting and Tracking Reconnaissance Campaigns Targeting Industrial Control Systems

Ruled out services are: prezi.com, uploaded.net, 4shared.com, 1fichier.com, filerio.io, filefactory.com, bibsonomy.org, adrive.com, drivehq.com, clickability.com, filesany-where.com, livedrive.com, smartfile.com, elephantdrive.com, mydocsonline.com, www.jungledisk.com, kontainer.com, mozy.com, exavault.com, thinkfree.com, cryptoheaven.com, powerfolder.com, filesave.me, crocko.com, cloudsafe.com, true- share.com, diino.com, filehostname.com, file-works.com, wonderfile.net, classlink.com, signiant.com, fileflow.com, bluejeans.com, dropsend.com, high-tail.com, justcloud.com, sugarsync.com, idrive.com, sharepoint.com, transfer-now.com, deliveryslip.com, mango.com, ionos.com, mediafire.com, tresorit.com, sync.com.

The endpoint for this sanitation has the representative name of https://www.dropbox.com/referrer_cleansing_redirect.

Alexa top lists. https://www.alexa.com/topsites/category/Top/Computers/Internet/On_the_Web/Web_Applications/Storage. Accessed 09 Feb 2019

Can i use support tables for html5, css3, etc

caniuse.com rel-noreferrer. https://caniuse.com/#feat=rel-noreferrer. Accessed 09 Feb 2019

mathiasbynens.github.io rel-noopener. https://mathiasbynens.github.io/rel-noopener/. Accessed 09 Feb 2019

PDF.js. https://mozilla.github.io/pdf.js/. Accessed 09 Feb 2019

Referer control. https://chrome.google.com/webstore/detail/referer-control/hnkcfpcejkafcihlgbojoidoihckciin. Accessed 09 Feb 2019

Scriptsafe. https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf. Accessed 09 Feb 2019

W3C Candidate Recommendation referrer policy. https://www.w3.org/TR/referrer-policy/. Accessed 09 Feb 2019

WHATWG link type. https://html.spec.whatwg.org/multipage/links.html#link-type-noreferrer. Accessed 09 Feb 2019

10.

Referer control by keepa.com, March 2017. https://addons.mozilla.org/en-US/firefox/addon/referercontrol/. Accessed 09 Feb 2019

11.

Andersdotter, A., Jensen-Urstad, A.: Evaluating websites and their adherence to data protection principles: tools and experiences. In: Lehmann, A., Whitehouse, D., Fischer-Hübner, S., Fritsch, L., Raab, C. (eds.) Privacy and Identity 2016. IAICT, vol. 498, pp. 39–51. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-55783-0_4CrossRef

12.

Antonellis, I., Garcia-Molina, H., Karim, J.: Tagging with queries: how and why? In: ACM International Conference on Web Search and Data Mining (WSDM), Barcelona, Spain, p. 4, February 2009

13.

Antoniades, D., Markatos, E.P., Dovrolis, C.: One-click hosting services: a file-sharing hideout. In: ACM SIGCOMM Internet Measurement Conference (IMC), Chicago, Illinois, USA, p. 223, ACM Press (2009)

14.

Argyriou, M., Dragoni, N., Spognardi, A.: Security flows in OAuth 2.0 framework: a case study. In: Tonetta, S., Schoitsch, E., Bitsch, F. (eds.) SAFECOMP 2017. LNCS, vol. 10489, pp. 396–406. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66284-8_33CrossRef

15.

Balduzzi, M., Platzer, C., Holz, T., Kirda, E., Balzarotti, D., Kruegel, C.: Abusing social networks for automated user profiling. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 422–441. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15512-3_22CrossRef

16.

Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: ACM Conference on Computer and Communications Security (CCS), Alexandria, Virginia, USA, p. 75. ACM Press (2008)

17.

Dolnak, I.: Implementation of referrer policy in order to control HTTP Referer header privacy. In: 2017 15th International Conference on Emerging eLearning Technologies and Applications (ICETA) (2017)

18.

Ibosiola, D., Steer, B., Garcia-Recuero, A., Stringhini, G., Uhlig, S., Tyson, G.: Movie pirates of the Caribbean: exploring illegal streaming cyberlockers. In: International AAAI Conference on Web and Social Media (ICWSM), Stanford, CA, p. 10 (2018)

19.

IETF Network Working Group. Hypertext transfer protocol - http/1.1. https://tools.ietf.org/html/rfc2616#page-140

20.

Invernizzi, L., Thomas, K., Kapravelos, A., Comanescu, O., Picod, J.-M., Bursztein, E.: Cloak of visibility: detecting when machines browse a different web. In: 2016 IEEE Symposium on Security and Privacy (SP) (2016)

21.

Jelveh, Z., Ross, K.: Profiting from filesharing: a measurement study of economic incentives in cyberlockers. In: IEEE International Conference on Peer-to-Peer Computing (P2P), Tarragona, Spain, pp. 57–62. IEEE, September 2012

22.

Krishnamurthy, B., Wills, C.E.: Cat and mouse: content delivery tradeoffs in web access. In: International Conference on World Wide Web (WWW), Edinburgh, Scotland, p. 337. ACM Press (2006)

23.

Krishnamurthy, B., Wills, C.E.: Generating a privacy footprint on the internet. In: ACM SIGCOMM on Internet Measurement (IMC), Rio de Janeriro, Brazil, p. 65. ACM Press (2006)

24.

Kushmerick, N., McKee, J., Toolan, F.: Towards zero-input personalization: referrer-based page prediction. In: Brusilovsky, P., Stock, O., Strapparava, C. (eds.) AH 2000. LNCS, vol. 1892, pp. 133–143. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44595-1_13CrossRef

25.

Lauinger, T., Onarlioglu, K., Chaabane, A., Kirda, E., Robertson, W., Kaafar, M.A.: Holiday pictures or blockbuster movies? Insights into copyright infringement in user uploads to one-click file hosters. In: Stolfo, S.J., Stavrou, A., Wright, C.V. (eds.) RAID 2013. LNCS, vol. 8145, pp. 369–389. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-41284-4_19CrossRef

26.

Lavrenovs, A., Melon, F.J.R.: Http security headers analysis of top one million websites. In: 2018 10th International Conference on Cyber Conflict (CyCon) (2018)

27.

Lazarov, M., Onaolapo, J., Stringhini, G.: Honey sheets: what happens to leaked Google spreadsheets? In: Proceedings of the 9th USENIX Conference on Cyber Security Experimentation and Test (CSET 2016), Austin, TX, p. 8 (2016)

28.

Li, W. Mitchell, C.J., Chen, T.: Mitigating CSRF attacks on OAuth 2.0 systems. In: 2018 16th Annual Conference on Privacy, Security and Trust (PST) (2018)

29.

Nikiforakis, N., Balduzzi, M., Acker, S.V., Joosen, W., Balzarotti, D.: Exposing the lack of privacy in file hosting services. In: USENIX Conference on Large-Scale Exploits and Emergent Threats, p. 8, March 2011

30.

Nikiforakis, N., Van Acker, S., Piessens, F., Joosen, W.: Exploring the ecosystem of referrer-anonymizing services. In: Fischer-Hübner, S., Wright, M. (eds.) PETS 2012. LNCS, vol. 7384, pp. 259–278. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31680-7_14CrossRef

31.

Onaolapo, J., Lazarov, M., Stringhini, G.: Master of sheets: a tale of compromised cloud documents. In: Proceedings of the Workshop on Attackers and Cyber-Crime Operations (WACCO), Goteborg, Sweden (2019)

32.

Wang, D.Y., Savage, S., Voelker, G.M.: Cloak and dagger. In: Proceedings of the 18th ACM Conference on Computer and Communications Security - CCS 2011 (2011)

33.

Wondracek, G., Holz, T., Kirda, E., Kruegel, C.: A practical attack to de-anonymize social network users. In: IEEE Symposium on Security and Privacy, Oakland, CA, USA. IEEE (2010)

34.

Wu, B., Davison, B.D.: Detecting semantic cloaking on the web. In: Proceedings of the 15th International Conference on World Wide Web - WWW 2006 (2006)

35.

Zheng, G., Peltsverger, S.: Web Analytics Overview, 3rd edn., pp. 7674–7683. IGI Global, Hershey (2015). Encyclopedia of Information Science and Technology

Title: On the Perils of Leaking Referrers in Online Collaboration Services
Authors: Beliz Kaleli
Manuel Egele
Gianluca Stringhini
Publisher: Springer International Publishing
Book: Detection of Intrusions and Malware, and Vulnerability Assessment
Print ISBN: 978-3-030-22037-2

Electronic ISBN: 978-3-030-22038-9

Copyright Year: 2019
DOI: https://doi.org/10.1007/978-3-030-22038-9_4

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner