Cenzic 232 Patent
Paid Advertising
web application security lab

Google Voice and URL Obfuscation No Nos

I was sent this URL from Engadget about Google Voice URLs being visible within Google Search. I see this kind of thing happen all the time. When you think that your URL is secure because you’re the only one who knows it, you are treading down a very scary path. At minimum combine URL obfuscation with some user level credential to ensure the person is really in control of that account. This is literally security 101.

I’ve always been a fan of obfuscation personally - people who think it doesn’t work fail to see that things like passwords are themselves obfuscation. It’s just about the fact that obfuscation only works as long as you’re the only one who knows it. As soon as you publish that information on the web, it’s just a matter of time before it goes bad - and in Google’s case, time is usually months. Chalk this up to another bad design decision. Way to go cloud!

9 Responses to “Google Voice and URL Obfuscation No Nos”

  1. Jason Wieland Says:

    This was intentional not a mishap or oversight by google. People posted their voicemail to public forums then google would naturally index them.

    Google wanted to not provide authentication on voicemail so that you can easily share them with peers.

    http://www.techcrunch.com/2009/10/19/the-best-of-the-google-voice-public-messages/


    Despite earlier speculation, this actually wasn’t an error, Google was doing this on purpose for users who had chosen to share their voicemails somewhere on the web.
    ….

    Jason

  2. mckt Says:

    When people say “no security through obscurity,” they aren’t generally referring to user-level tokens. They’re referring to obscurity in architecture, algorithms, etc.

    That said, I agree with you… If I can’t figure out what directory you’re storing your admin files in, I can’t get to it. There is SOME security through obscurity. The issue is that it doesn’t stand up well to time, unpredictable attackers, or sheer volume of attacks. Passwords may be obscure (and they really don’t stand up well to the above), but at least they’re easy to change.

    I still consider the “no security through obscurity” mantra to be true tho- you generally get more bang for your buck from doing things right the first time. It’s not a law, it’s a rule of thumb.

  3. RSnake Says:

    @Jason Wieland - from the same article you posted, “Following the hubbub over this, the company has decided to change its policy and not index them, but some of the damage is already done.” Damage implies this was a bad decision. I would agree with that assessment. Google has intended to do all sorts of dumb things from a security perspective. That’s not an excuse.

    @mckt - agreed, I was more making a point, but yes.

  4. Chris Says:

    I haven’t looked into this case much, but I disagree that obfuscation must be combined with a user credential. Obfuscated, or near impossible to guess/re-generate URLs, are a great tool for granting access to quasi-private information. For example, I use PicasaWeb to store and organize my photos online. Picasa galleries may be marked as either private or public. If I want to share a gallery with someone, I send them an obfuscated URL.

    This is much easier than having to manage a group list, worry about my friend’s Google accounts, or what not. If my friend is untrustworthy or careless and posts the URL somewhere indexable, I can invalidate the URL and make my data private again. This is equivalent security to granting my friend access and having them download all my photos.

    I wouldn’t use this process to store all of my corporate documents, but then again, I probably wouldn’t put all of my documents in “the cloud”.

  5. RSnake Says:

    @Chris - it doesn’t HAVE to be combined, sure. Just like it wasn’t in Google’s example and we saw how that turned out. The slippery slope here is when you allow more than one person to know the URL. Then that obfuscation is far less likely to work. Now, let’s say those pictures you were sharing were lude ones and you were sharing them with your partner… would you really feel comfortable with URL obfuscation as your only defense? Cut and paste issues on either side aren’t worth thinking about? I mean, sure, it’s not THAT likely to happen - as we saw in Google’s case it was only 30 or so victims.

    So yes, you CAN do it securely, it just turns out that in practice it doesn’t work out like that when you force enough consumers to do the right thing with those “secured”/obfuscated URLs.

  6. Niels Says:

    “Google wanted to not provide authentication on voicemail so that you can easily share them with peers.”

    From a security point of view this is utter nonsense. If you want to share your voicemail with certain people, that doesn’t mean you want to disclose it to anyone. Google is following the security-by-obscurity concept, and it would be good if they would add authentication.

    If you want to share files on a FTP with a limited amount of people, I suppose you don’t use anonymous FTP because it’s ‘easier’ compared to providing credentials, unless you don’t care about security.

    Also removing the voicemails from the Google search engine isn’t very effective - using Yahoo you can still find all the voicemails, and aside of that there are numerous ways to obtain the links as they are stored locally on the PC, they are stored in logfiles at the employer/provider, they are transmitted unsecurely over the internet (sniffing / mitm attacks) and using malware you could harvest such information from desktops, to name a few examples.

    “I mean, sure, it’s not THAT likely to happen - as we saw in Google’s case it was only 30 or so victims.”

    Even if the links are not indexed by search engines, it’s very much possible to obtain them using other means, see above.

  7. Niels Says:

    @ Jason :

    “Despite earlier speculation, this actually wasn’t an error, Google was doing this on purpose for users who had chosen to share their voicemails somewhere on the web.”

    It’s quite clear that this behaviour is on purpose, but that doesn’t mean that the product has been designed well from a security point of view.

  8. Niels Says:

    Google’s suggestion that they mitigate the risk by disabling indexing the links in Google Search is a bit hilarious. After all, they seem to ignore that they have numerous competitors, and that Google Search isn’t the only search engine available.

    See for examle Yahoo Site Explorer search results :

    http://siteexplorer.search.yahoo.com/search?p=https://www.google.com/voice/fm/&y=Explore+URL&fr=sfp

  9. Niels Says:

    “So yes, you CAN do it securely, it just turns out that in practice it doesn’t work out like that when you force enough consumers to do the right thing with those “secured”/obfuscated URLs.”

    Do consumers have an option to secure the obfuscated URL, or is this functionality not available ? If it is, at least people have the option to share the information in a more secure way.