SLIDE 1
DIMVA 2019 On the Perils of Leaking Referrers in Online - - PowerPoint PPT Presentation
DIMVA 2019 On the Perils of Leaking Referrers in Online - - PowerPoint PPT Presentation
DIMVA 2019 On the Perils of Leaking Referrers in Online Collaboration Services Authors: Beliz Kaleli Manuel Egele Gianluca Stringhini bkaleli@bu.edu megele@bu.edu gian@bu.edu Online Collaboration Services (OCSs)
SLIDE 2
SLIDE 3
Beliz Kaleli
Sharing a File on an OCS
3
OCS Upload
- r
Create Share
https://www.ocs-name.com/<UniqueIdentifier>
}
Ideally unguessable secret location:
SLIDE 4
Beliz Kaleli
This year McAfee reported that;
“8% of shared files contain sensitive data” [1]
▪ OCS Files, used by individuals and companies, can contain sensitive information.
4
[1] https://www.skyhighnetworks.com/cloud-computing-trends-2019/
[1] Where cloud files are shared.
SLIDE 5
Beliz Kaleli
Introduction
We show that: The secret location of OCS files can be leaked by the improper handling of links embedded in these files. ▪ 21 OCS are analyzed on 6 different web browsers
5
SLIDE 6
Beliz Kaleli
Background - HTTP Referer
6
http://ocs.com/file1
- HTTP
Request
▪ HTTP Request Header that identifies the URI from which the request
- riginated.
Request Headers Accept Accept-Encoding Accept-Language Connection DNT Host Referer User-Agent Value text/html, application/xhtml+xml gzip, deflate en-US, en; q=0.5 keep-alive 1
- cs.com
http://ocs.com/file1 Mozilla/5.0 (X11; Linux x86_64)
SLIDE 7
Beliz Kaleli
Background - HTTP Referer
Purpose: ▪ Personalize the website: provide specific help, suggest relevant pages to targeted users ▪ Generate special offers ▪ Webpage analytics (e.g., analyzing where most of the traffic is coming from) ▪ Block visitors from specific domains The HTTP Referer field is configurable with the Referrer Policy [1]
7
[1] W3C Candidate Recommendation referrer policy. https://www.w3.org/TR/referrer-policy/.
SLIDE 8
Beliz Kaleli
Background - Existing Mitigations
8
- "no-referrer"
- "no-referrer-when-downgrade"
- "same-origin"
- "origin"
- "strict-origin"
- "origin-when-cross-origin"
- "strict-origin-when-cross-origin"
- "unsafe-url"
HTTP Referer Referrer Structure No Referrer
- ASCII Serialized
http(s)://www.service-name.com/ Full Referrer http(s)://www.service-name.com/<UniqueIdentifier>
▪ Referrer Policy ▪ HTML Link Type (i.e. rel=”noreferrer”)
SLIDE 9
Beliz Kaleli
Attack Model
9
maggi.cc Eve
SLIDE 10
Beliz Kaleli
Attack Model
10
secret URL
maggi.cc Eve
SLIDE 11
Beliz Kaleli
Attack Model
11
secret URL secret URL
maggi.cc Eve
SLIDE 12
Beliz Kaleli
Attack Model
12
secret URL secret URL Referrer: secret URL
maggi.cc Eve
SLIDE 13
Beliz Kaleli
Attack Model
13
secret URL secret URL Referrer: secret URL
maggi.cc maggi.cc Eve
SLIDE 14
Beliz Kaleli
14
Alice: Upload/Create file
SLIDE 15
Beliz Kaleli
https://docs.google.com/document/d /17AA7PNbyu94pHe8QxKHKq8SsK PuLZV-9-ZrWvV-k45o/edit?usp=sha ring
15
Alice: Share file
SLIDE 16
Beliz Kaleli
16
Bob: Visit link
SLIDE 17
Beliz Kaleli
Implementation - Methodology
To test our attack model on real-world OCSs: 1. Identifying relevant services 2. Creating files 3. Sharing files 4. Examining the referrer
17
SLIDE 18
Beliz Kaleli
Implementation - Identifying Relevant Services
▪ We obtained the most popular services by Google queries and crawling Alexa lists
▪ Top/Computers/Internet/File_Sharing ▪ Top/Computers/Internet/On_the_Web/Web_Applications/Storage
▪ Test manually:
▪ Setup an account ▪ Upload/Create file with link to our server ▪ Check if clickable ▪ Check if shareable via a URL
18
- ur-server.com
- Uploaded file
SLIDE 19
Beliz Kaleli
Implementation - Creating Files
▪ Created different types of files: “.doc”, “.docx”, “.pdf”, “.xls”, “.xlsx”, “.ppt”, “.pptx”, “.note”, etc.
19
Embedded URL Our web server HTTP headers are logged
SLIDE 20
Beliz Kaleli
Implementation - Sharing Files
Relevant OCSs = File Hosting Services + Instant Messaging Services For file hosting services and instant messaging services; ▪ Shared through links which are editable or view-only For some instant messaging services; (e.g., Flock) ▪ File sent directly to chat between two accounts
20
SLIDE 21
Beliz Kaleli
Implementation - Examining Referrers
21
OCS Share Upload secret URL
Alice
- ur-server.com
SLIDE 22
Beliz Kaleli
Implementation - Examining Referrers
22
OCS Share Upload secret URL
Alice
- ur-server.com
SLIDE 23
Beliz Kaleli
Implementation - Examining Referrers
23
secret URL Visit link Click on embedded link
- ur-server
Collect Referrer URL from output
- f script
Bob
- ur-server.com
SLIDE 24
Beliz Kaleli
Implementation - Examining Referrers
24
secret URL Visit link Click on embedded link
- ur-server
Collect Referrer URL from output
- f script
Bob
- ur-server.com
SLIDE 25
Beliz Kaleli
Implementation - Examining Referrers
25
secret URL Visit link Click on embedded link
- ur-server
Collect Referrer URL from output
- f script
Bob
- ur-server.com
SLIDE 26
Beliz Kaleli
Implementation - Examining Referrers
26
Visit recorded Referrer URL
SLIDE 27
Beliz Kaleli
Implementation - Examining Referrers
27
Visit recorded Referrer URL File is NOT accessed
SLIDE 28
Beliz Kaleli
Implementation - Examining Referrers
28
Visit recorded Referrer URL Secret URL is NOT leaked File is NOT accessed
SLIDE 29
Beliz Kaleli
Implementation - Examining Referrers
29
Visit recorded Referrer URL Secret URL is NOT leaked File is accessed File is NOT accessed
SLIDE 30
Beliz Kaleli
Implementation - Examining Referrers
30
Visit recorded Referrer URL Secret URL is leaked Secret URL is NOT leaked File is accessed File is NOT accessed
SLIDE 31
Beliz Kaleli
Referrer Policy
First Public Draft (2014): ▪ "none" ▪ "none-when-downgrade" ▪ "origin-only" ▪ "origin-when-cross-origin" ▪ "unsafe-url"
31
Working Draft (2016): ▪ "no-referrer" ▪ "no-referrer-when-downgrade" ▪ "same-origin" ▪ "origin" ▪ "origin-when-cross-origin" ▪ "unsafe-url"
SLIDE 32
Beliz Kaleli
Referrer Policy
First Public Draft (2014): ▪ "none" ▪ "none-when-downgrade" ▪ "origin-only" ▪ "origin-when-cross-origin" ▪ "unsafe-url"
32
Working Draft (2016): ▪ "no-referrer" ▪ "no-referrer-when-downgrade" ▪ "same-origin" ▪ "origin" ▪ "strict-origin" ▪ "origin-when-cross-origin" ▪ "strict-origin-when-cross-origin" ▪ "unsafe-url" Currently a Candidate Recommendation
SLIDE 33
Beliz Kaleli
Evaluation - Common Insights
Reasons behind vulnerabilities;
33
Services ▪ Referrer Policy is not set by the OCS ▪ Referrer Policy option is not secure enough ▪ Different behavior on mobile and desktop browsers Browsers ▪ Edge and iOS Safari support
- lder draft of Referrer Policy
SLIDE 34
Beliz Kaleli
Evaluation
34
7/21 Vulnerable
: Vulnerable : Not vulnerable : N/A
SLIDE 35
Beliz Kaleli
Evaluation
▪ Edge and iOS Safari supports older draft of Referrer Policy e.g., Overleaf ▪ "origin-when-cross-origin" → Overleaf changed to "no-referrer" and added "rel=noreferrer" → No longer vulnerable
35
SLIDE 36
Beliz Kaleli
Evaluation
▪ Different behaviors on desktop and mobile browsers ▪ PDF.js removes referrers, built-in mechanisms may not e.g., Box ▪ Desktop browsers - PDF.js (removes referrers in requests) ▪ Mobile browsers - native PDF viewer (no referrer removal) ▪ "no-referrer-when-downgrade" ▪ Vulnerable: HTTPS → HTTPS
36
SLIDE 37
Beliz Kaleli
Evaluation
▪ Referrer Policy is not set by the OCS e.g., Onehub, Linkedin Slideshare, Evernote ▪ Fallback to "no-referrer-when-downgrade" ▪ Vulnerable: HTTPS → HTTPS
37
SLIDE 38
Beliz Kaleli
Adoption of Referrer Policy
▪ First 100K of lists
38
: less safe option
SLIDE 39
Beliz Kaleli
Countermeasures
39
User Provider ▪ Configure browser settings ▪ Use browser extensions ▪ Use private browsing mode (on Firefox) ▪ Trim HTTP Referer to only display the hostname ▪ Use rel=”noreferrer” ▪ Redirect links inside documents
SLIDE 40
Beliz Kaleli
Future Steps
▪ Analyze different browsers and OCSs ▪ Investigate whether this vulnerability is known
▪ Embed links to several real-world websites
▪ Analyze the use of information
▪ Fill files with fake sensitive data
40
SLIDE 41
Beliz Kaleli
Conclusion
▪ We analyzed 21 OCSs with uploading different types of documents containing a link referring to our servers ▪ 7 out of 21 services are vulnerable
▪ Improper use of the Referrer Policy by online services ▪ Limited support offered by web browsers
41
SLIDE 42
Beliz Kaleli
THANK YOU
42
SLIDE 43
Beliz Kaleli
43
"no-referrer": Referrer header is omitted entirely for requests to any origin. "no-referrer-when-downgrade": Full referrer is sent in requests from a TLS protected environment to a potentially trustworthy URL and also from a non-TLS protected environment to any origin. Conversely, referrer header is omitted in requests from a TLS protected environment to a non-potentially trustworthy URL. "same-origin": A full URL, stripped for use as a referrer (the algorithm to strip URLs is defined in [8]), is sent within requests to same-origin. However, the referrer header is omitted in cross-origin requests. "origin": Along with both same-origin and cross-origin requests, an ASCII serialization of the referrer is sent. An example of this serialization result is given in Table 1. "strict-origin": ASCII serialization of the referrer is sent along with requests from a TLS protected environment to a potentially trustworthy URL and from a non-TLS protected environment to any origin. Whereas, no referrer is sent from a TLS-protected environment to a non-potentially trustworthy URL. "origin-when-cross-origin": A full URL, stripped for use as a referrer, is sent within requests to same-origin. ASCII serialization of the origin of the request is sent within requests to cross-origin. "strict-origin-when-cross-origin": A full URL, stripped for use as a referrer, is sent within requests to same-origin. For the cross-origin requests, the same schema is applied as "strict-origin". "unsafe-url" : A full URL, stripped for use as a referrer, is sent within both same-origin and cross-origin requests.
SLIDE 44
Beliz Kaleli
44
SLIDE 45
Beliz Kaleli
Countermeasures - “Safer” Policies
▪ "no-referrer" ▪ all requests: no referrer ▪ "same-origin" ▪ same origin requests: full referrer ▪ cross origin requests: no referrer
45
SLIDE 46