Authors:

Beliz Kaleli Manuel Egele Gianluca Stringhini bkaleli@bu.edu megele@bu.edu gian@bu.edu

DIMVA 2019On the Perils of Leaking Referrers in Online Collaboration Services

Beliz Kaleli

Online Collaboration Services (OCSs)

2

Online Collaboration

Services

File operations;

▪ Upload/Create ▪ View/Edit online▪ Share

Beliz Kaleli

Sharing a File on an OCS

3

OCS

Upload or

Create Share https://www.ocs-name.com/<UniqueIdentifier>}Ideally unguessable

secret location:

Beliz Kaleli

This year McAfee reported that;

“8% of shared files contain sensitive data” [1]

▪ OCS Files, used by individuals and companies, can contain sensitive information.

4

[1] https://www.skyhighnetworks.com/cloud-computing-trends-2019/

[1] Where cloud files are shared.

Beliz Kaleli

Introduction

We show that:The secret location of OCS files can be leaked by the improper handling of links embedded in these files.

▪ 21 OCS are analyzed on 6 different web browsers

5

Beliz Kaleli

Background - HTTP Referer

6

http://ocs.com/file1

--------------------------------------------------------

HTTP Request

▪ HTTP Request Header that identifies the URI from which the request originated.

Request HeadersAccept

Accept-EncodingAccept-Language

ConnectionDNTHost

RefererUser-Agent

Valuetext/html, application/xhtml+xmlgzip, deflateen-US, en; q=0.5keep-alive1ocs.comhttp://ocs.com/file1Mozilla/5.0 (X11; Linux x86_64)

Beliz Kaleli

Background - HTTP Referer

Purpose:▪ Personalize the website: provide specific help, suggest relevant

pages to targeted users▪ Generate special offers ▪ Webpage analytics (e.g., analyzing where most of the traffic is

coming from) ▪ Block visitors from specific domains

The HTTP Referer field is configurable with the Referrer Policy [1]

7

[1] W3C Candidate Recommendation referrer policy. https://www.w3.org/TR/referrer-policy/.

Beliz Kaleli

Background - Existing Mitigations

8

● "no-referrer"● "no-referrer-when-downgrade"● "same-origin"● "origin"● "strict-origin"● "origin-when-cross-origin"● "strict-origin-when-cross-origin"● "unsafe-url"

HTTP Referer Referrer Structure

No Referrer -

ASCII Serialized http(s)://www.service-name.com/

Full Referrer http(s)://www.service-name.com/<UniqueIdentifier>

▪ Referrer Policy

▪ HTML Link Type(i.e. rel=”noreferrer”)

Beliz Kaleli

Attack Model

9

maggi.cc

Eve

Beliz Kaleli

Attack Model

10

secret URL

maggi.cc

Eve

Beliz Kaleli

Attack Model

11

secret URL

secret URL

maggi.cc

Eve

Beliz Kaleli

Attack Model

12

secret URL

secret URL

Referrer: secret URL maggi.cc

Eve

Beliz Kaleli

Attack Model

13

secret URL

secret URL

Referrer: secret URL maggi.cc

maggi.cc Eve

Beliz Kaleli14

Alice:Upload/Create

file

Beliz Kaleli

https://docs.google.com/document/d/17AA7PNbyu94pHe8QxKHKq8SsKPuLZV-9-ZrWvV-k45o/edit?usp=sharing

15

Alice:Share file

Beliz Kaleli16

Bob:Visit link

Beliz Kaleli

Implementation - Methodology

To test our attack model on real-world OCSs:

1. Identifying relevant services

2. Creating files

3. Sharing files

4. Examining the referrer

17

Beliz Kaleli

Implementation - Identifying Relevant Services

▪ We obtained the most popular services by Google queries and crawling Alexa lists▪ Top/Computers/Internet/File_Sharing▪ Top/Computers/Internet/On_the_Web/Web_Applications/Storage

▪ Test manually:▪ Setup an account▪ Upload/Create file with link to our server▪ Check if clickable▪ Check if shareable via a URL

18

----------------------------------------our-server.com-----------------------------------------------------------

Uploaded file

Beliz Kaleli

Implementation - Creating Files

▪ Created different types of files: “.doc”, “.docx”, “.pdf”, “.xls”, “.xlsx”, “.ppt”, “.pptx”, “.note”, etc.

19

Embedded URL

Our web server

HTTP headers are logged

Beliz Kaleli

Implementation - Sharing Files

Relevant OCSs = File Hosting Services + Instant Messaging Services

For file hosting services and instant messaging services;▪ Shared through links which are editable or view-only

For some instant messaging services; (e.g., Flock)▪ File sent directly to chat between two accounts

20

Beliz Kaleli

Implementation - Examining Referrers

21

OCS

ShareUploadsecret URL

Alice

----------------------------------------our-server.com-----------------------------------------------------------

Beliz Kaleli

Implementation - Examining Referrers

22

OCS

ShareUploadsecret URL

Alice

----------------------------------------our-server.com-----------------------------------------------------------

Beliz Kaleli

Implementation - Examining Referrers

23

secret URLVisit link

Click on embedded link

our-server

Collect Referrer URL from output of script

Bob

----------------------------------------our-server.com-----------------------------------------------------------

Beliz Kaleli

Implementation - Examining Referrers

24

secret URLVisit link

Click on embedded link

our-server

Collect Referrer URL from output of script

Bob

----------------------------------------our-server.com-----------------------------------------------------------

Beliz Kaleli

Implementation - Examining Referrers

25

secret URLVisit link

Click on embedded link

our-server

Collect Referrer URL from output of script

Bob

----------------------------------------our-server.com-----------------------------------------------------------

Beliz Kaleli

Implementation - Examining Referrers

26

Visit recordedReferrer URL

Beliz Kaleli

Implementation - Examining Referrers

27

Visit recordedReferrer URL

File is NOT accessed

Beliz Kaleli

Implementation - Examining Referrers

28

Visit recordedReferrer URL

Secret URL is NOT leaked

File is NOT accessed

Beliz Kaleli

Implementation - Examining Referrers

29

Visit recordedReferrer URL

Secret URL is NOT leaked

File is accessedFile is NOT accessed

Beliz Kaleli

Implementation - Examining Referrers

30

Visit recordedReferrer URL

Secret URL is leaked

Secret URL is NOT leaked

File is accessedFile is NOT accessed

Beliz Kaleli

Referrer Policy

First Public Draft (2014):

▪ "none"▪ "none-when-downgrade"▪ "origin-only"▪ "origin-when-cross-origin"▪ "unsafe-url"

31

Working Draft (2016):

▪ "no-referrer"▪ "no-referrer-when-downgrade"▪ "same-origin"▪ "origin"▪ "origin-when-cross-origin"▪ "unsafe-url"

Beliz Kaleli

Referrer Policy

First Public Draft (2014):

▪ "none"▪ "none-when-downgrade"▪ "origin-only"▪ "origin-when-cross-origin"▪ "unsafe-url"

32

Working Draft (2016):

▪ "no-referrer"▪ "no-referrer-when-downgrade"▪ "same-origin"▪ "origin"▪ "strict-origin"▪ "origin-when-cross-origin"▪ "strict-origin-when-cross-origin"▪ "unsafe-url"

Currently a Candidate Recommendation

Beliz Kaleli

Evaluation - Common Insights

Reasons behind vulnerabilities;

33

Services

▪ Referrer Policy is not set by the OCS

▪ Referrer Policy option is not secure enough

▪ Different behavior on mobile and desktop browsers

Browsers ▪ Edge and iOS Safari support older draft of Referrer Policy

Beliz Kaleli

Evaluation

34

7/21 Vulnerable

: Vulnerable: Not vulnerable: N/A

Beliz Kaleli

Evaluation

▪ Edge and iOS Safari supports older draft of Referrer Policye.g., Overleaf ▪ "origin-when-cross-origin"

→ Overleaf changed to "no-referrer" and added "rel=noreferrer"→ No longer vulnerable

35

Beliz Kaleli

Evaluation

▪ Different behaviors on desktop and mobile browsers▪ PDF.js removes referrers, built-in mechanisms may not

e.g., Box ▪ Desktop browsers - PDF.js (removes referrers in requests)▪ Mobile browsers - native PDF viewer (no referrer removal)▪ "no-referrer-when-downgrade"

▪ Vulnerable: HTTPS → HTTPS

36

Beliz Kaleli

Evaluation

▪ Referrer Policy is not set by the OCSe.g., Onehub, Linkedin Slideshare, Evernote▪ Fallback to "no-referrer-when-downgrade"

▪ Vulnerable: HTTPS → HTTPS

37

Beliz Kaleli

Adoption ofReferrer Policy

▪ First 100K oflists

38

: less safe option

Beliz Kaleli

Countermeasures

39

User Provider

▪ Configure browser settings▪ Use browser extensions▪ Use private browsing mode

(on Firefox)

▪ Trim HTTP Referer to only display the hostname

▪ Use rel=”noreferrer”▪ Redirect links inside

documents

Beliz Kaleli

Future Steps

▪ Analyze different browsers and OCSs

▪ Investigate whether this vulnerability is known▪ Embed links to several real-world websites

▪ Analyze the use of information▪ Fill files with fake sensitive data

40

Beliz Kaleli

Conclusion

▪ We analyzed 21 OCSs with uploading different types of documents containing a link referring to our servers

▪ 7 out of 21 services are vulnerable

▪ Improper use of the Referrer Policy by online services ▪ Limited support offered by web browsers

41

Beliz Kaleli

THANK YOU

42

Beliz Kaleli43

"no-referrer": Referrer header is omitted entirely for requests to any origin.

"no-referrer-when-downgrade": Full referrer is sent in requests from a TLS protected environment to a potentially trustworthy URL and also from a non-TLS protected environment to any origin. Conversely, referrer header is omitted in requests from a TLS protected environment to a non-potentially trustworthy URL.

"same-origin": A full URL, stripped for use as a referrer (the algorithm to strip URLs is defined in [8]), is sent within requests to same-origin. However, the referrer header is omitted in cross-origin requests.

"origin": Along with both same-origin and cross-origin requests, an ASCII serialization of the referrer is sent. An example of this serialization result is given in Table 1.

"strict-origin": ASCII serialization of the referrer is sent along with requests from a TLS protected environment to a potentially trustworthy URL and from a non-TLS protected environment to any origin. Whereas, no referrer is sent from a TLS-protected environment to a non-potentially trustworthy URL.

"origin-when-cross-origin": A full URL, stripped for use as a referrer, is sent within requests to same-origin. ASCII serialization of the origin of the request is sent within requests to cross-origin.

"strict-origin-when-cross-origin": A full URL, stripped for use as a referrer, is sent within requests to same-origin. For the cross-origin requests, the same schema is applied as "strict-origin".

"unsafe-url" : A full URL, stripped for use as a referrer, is sent within both same-origin and cross-origin requests.

Beliz Kaleli44

Beliz Kaleli

Countermeasures - “Safer” Policies

▪ "no-referrer"▪ all requests: no referrer

▪ "same-origin"▪ same origin requests: full referrer▪ cross origin requests: no referrer

45

Beliz Kaleli

Countermeasures - “Safer” Policies

46

▪ TLS-protected environment potentially trustworthy URL

▪ non-TLS-protected environment any origin

▪ TLS-protected environment non-potentially trustworthy URL

ASCII Serial.

ASCII Serial.

No Referrer

▪ "strict-origin"

▪ "strict-origin-when-cross-origin"

▪ same origin requests: full referrer

▪ cross origin requests: same as “strict-origin”