On the Perils of Leaking Referrers in Online Collaboration Services
作者: Beliz Kaleli , Manuel Egele , Gianluca Stringhini
DOI: 10.1007/978-3-030-22038-9_4
关键词: Computer science 、 Ease of Access 、 Internet security 、 HTTP referer 、 Computer security 、 Service (business) 、 File sharing 、 Resource (project management) 、 restrict 、 Client-side
摘要: Online collaboration services (OCS) are appealing since they provide ease of access to resources and the ability collaborate on shared files. Documents these frequently via secret links, which allows easy between different users. The security this link approach relies fact that only those who know location resource (i.e., its URL) can it. In paper, we show OCS files be leaked by improper handling links embedded in Specifically, if a user clicks into file hosted an OCS, HTTP Referer contained resulting request might leak URL. We present study 21 online seven them vulnerable kind information disclosure caused Referers. identify two root causes issues, both having do with incorrect application Referrer Policy, countermeasure designed restrict how Referers third parties. first case, six their referrers because not implement strict enough up-to-date policy. second one service correctly implements appropriate but some web browsers obey it, causing clicked through To fix problem, discuss apply Policy avoid incidents, as well other server client side countermeasures.
springer.com
sci-hub.st 参考文章(26)
Tobias Lauinger, Kaan Onarlioglu, Abdelberi Chaabane, Engin Kirda, William Robertson, Mohamed Ali Kaafar, Holiday Pictures or Blockbuster Movies? Insights into Copyright Infringement in User Uploads to One-Click File Hosters recent advances in intrusion detection. pp. 369- 389 ,(2013) , 10.1007/978-3-642-41284-4_19
Nick Nikiforakis, Steven Van Acker, Frank Piessens, Wouter Joosen, Exploring the ecosystem of referrer-anonymizing services privacy enhancing technologies. pp. 259- 278 ,(2012) , 10.1007/978-3-642-31680-7_14
Nicholas Kushmerick, James McKee, Fergus Toolan, Towards Zero-Input Personalization: Referrer-Based Page Prediction adaptive hypermedia and adaptive web based systems. pp. 133- 143 ,(2000) , 10.1007/3-540-44595-1_13
Davide Balzarotti, Wouter Joosen, Marco Balduzzi, Steven Van Acker, Nick Nikiforakis, Exposing the lack of privacy in file hosting services usenix conference on large scale exploits and emergent threats. pp. 1- 1 ,(2011)
Ursula Hofer, Viral pathogenesis: Cloak and dagger. Nature Reviews Microbiology. ,vol. 11, pp. 360- 361 ,(2013) , 10.1038/NRMICRO3026
Balachander Krishnamurthy, Craig E. Wills, Generating a privacy footprint on the internet internet measurement conference. pp. 65- 70 ,(2006) , 10.1145/1177080.1177088
Adam Barth, Collin Jackson, John C. Mitchell, Robust defenses for cross-site request forgery Proceedings of the 15th ACM conference on Computer and communications security - CCS '08. pp. 75- 88 ,(2008) , 10.1145/1455770.1455782
Zubin Jelveh, Keith Ross, Profiting from filesharing: A measurement study of economic incentives in cyberlockers international conference on peer-to-peer computing. pp. 57- 62 ,(2012) , 10.1109/P2P.2012.6335811
Balachander Krishnamurthy, Craig E. Wills, Cat and mouse Proceedings of the 15th international conference on World Wide Web - WWW '06. pp. 337- 346 ,(2006) , 10.1145/1135777.1135829
Hector Garcia-Molina, Jawed Karim, Ioannis Antonellis, Tagging with Queries: How and Why? WSDM (Late Breaking-Results). ,(2009)