Skip to main content

On the Perils of Leaking Referrers in Online Collaboration Services

Part of the Lecture Notes in Computer Science book series (LNSC,volume 11543)


Online collaboration services (OCS) are appealing since they provide ease of access to resources and the ability to collaborate on shared files. Documents on these services are frequently shared via secret links, which allows easy collaboration between different users. The security of this secret link approach relies on the fact that only those who know the location of the secret resource (i.e., its URL) can access it. In this paper, we show that the secret location of OCS files can be leaked by the improper handling of links embedded in these files. Specifically, if a user clicks on a link embedded into a file hosted on an OCS, the HTTP Referer contained in the resulting HTTP request might leak the secret URL. We present a study of 21 online collaboration services and show that seven of them are vulnerable to this kind of secret information disclosure caused by the improper handling of embedded links and HTTP Referers. We identify two root causes of these issues, both having to do with an incorrect application of the Referrer Policy, a countermeasure designed to restrict how HTTP Referers are shared with third parties. In the first case, six services leak their referrers because they do not implement a strict enough and up-to-date policy. In the second case, one service correctly implements an appropriate Referrer Policy, but some web browsers do not obey it, causing links clicked through them to leak their HTTP Referers. To fix this problem, we discuss how services can apply the Referrer Policy correctly to avoid these incidents, as well as other server and client side countermeasures.


  • Web security
  • Online collaboration services
  • Referrer leaking
  • File sharing

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
USD   59.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   79.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions


  1. 1.

    Ruled out services are:,,,,,,,,,,,,,,,,,,,,,,,,, true-,,,,,,,,,,,,,,,,,,,,,

  2. 2.

    The endpoint for this sanitation has the representative name of


  1. Alexa top lists. Accessed 09 Feb 2019

  2. Can i use support tables for html5, css3, etc

    Google Scholar 

  3. rel-noreferrer. Accessed 09 Feb 2019

  4. rel-noopener. Accessed 09 Feb 2019

  5. PDF.js. Accessed 09 Feb 2019

  6. Referer control. Accessed 09 Feb 2019

  7. Scriptsafe. Accessed 09 Feb 2019

  8. W3C Candidate Recommendation referrer policy. Accessed 09 Feb 2019

  9. WHATWG link type. Accessed 09 Feb 2019

  10. Referer control by, March 2017. Accessed 09 Feb 2019

  11. Andersdotter, A., Jensen-Urstad, A.: Evaluating websites and their adherence to data protection principles: tools and experiences. In: Lehmann, A., Whitehouse, D., Fischer-Hübner, S., Fritsch, L., Raab, C. (eds.) Privacy and Identity 2016. IAICT, vol. 498, pp. 39–51. Springer, Cham (2016).

    CrossRef  Google Scholar 

  12. Antonellis, I., Garcia-Molina, H., Karim, J.: Tagging with queries: how and why? In: ACM International Conference on Web Search and Data Mining (WSDM), Barcelona, Spain, p. 4, February 2009

    Google Scholar 

  13. Antoniades, D., Markatos, E.P., Dovrolis, C.: One-click hosting services: a file-sharing hideout. In: ACM SIGCOMM Internet Measurement Conference (IMC), Chicago, Illinois, USA, p. 223, ACM Press (2009)

    Google Scholar 

  14. Argyriou, M., Dragoni, N., Spognardi, A.: Security flows in OAuth 2.0 framework: a case study. In: Tonetta, S., Schoitsch, E., Bitsch, F. (eds.) SAFECOMP 2017. LNCS, vol. 10489, pp. 396–406. Springer, Cham (2017).

    CrossRef  Google Scholar 

  15. Balduzzi, M., Platzer, C., Holz, T., Kirda, E., Balzarotti, D., Kruegel, C.: Abusing social networks for automated user profiling. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 422–441. Springer, Heidelberg (2010).

    CrossRef  Google Scholar 

  16. Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: ACM Conference on Computer and Communications Security (CCS), Alexandria, Virginia, USA, p. 75. ACM Press (2008)

    Google Scholar 

  17. Dolnak, I.: Implementation of referrer policy in order to control HTTP Referer header privacy. In: 2017 15th International Conference on Emerging eLearning Technologies and Applications (ICETA) (2017)

    Google Scholar 

  18. Ibosiola, D., Steer, B., Garcia-Recuero, A., Stringhini, G., Uhlig, S., Tyson, G.: Movie pirates of the Caribbean: exploring illegal streaming cyberlockers. In: International AAAI Conference on Web and Social Media (ICWSM), Stanford, CA, p. 10 (2018)

    Google Scholar 

  19. IETF Network Working Group. Hypertext transfer protocol - http/1.1.

  20. Invernizzi, L., Thomas, K., Kapravelos, A., Comanescu, O., Picod, J.-M., Bursztein, E.: Cloak of visibility: detecting when machines browse a different web. In: 2016 IEEE Symposium on Security and Privacy (SP) (2016)

    Google Scholar 

  21. Jelveh, Z., Ross, K.: Profiting from filesharing: a measurement study of economic incentives in cyberlockers. In: IEEE International Conference on Peer-to-Peer Computing (P2P), Tarragona, Spain, pp. 57–62. IEEE, September 2012

    Google Scholar 

  22. Krishnamurthy, B., Wills, C.E.: Cat and mouse: content delivery tradeoffs in web access. In: International Conference on World Wide Web (WWW), Edinburgh, Scotland, p. 337. ACM Press (2006)

    Google Scholar 

  23. Krishnamurthy, B., Wills, C.E.: Generating a privacy footprint on the internet. In: ACM SIGCOMM on Internet Measurement (IMC), Rio de Janeriro, Brazil, p. 65. ACM Press (2006)

    Google Scholar 

  24. Kushmerick, N., McKee, J., Toolan, F.: Towards zero-input personalization: referrer-based page prediction. In: Brusilovsky, P., Stock, O., Strapparava, C. (eds.) AH 2000. LNCS, vol. 1892, pp. 133–143. Springer, Heidelberg (2000).

    CrossRef  Google Scholar 

  25. Lauinger, T., Onarlioglu, K., Chaabane, A., Kirda, E., Robertson, W., Kaafar, M.A.: Holiday pictures or blockbuster movies? Insights into copyright infringement in user uploads to one-click file hosters. In: Stolfo, S.J., Stavrou, A., Wright, C.V. (eds.) RAID 2013. LNCS, vol. 8145, pp. 369–389. Springer, Heidelberg (2013).

    CrossRef  Google Scholar 

  26. Lavrenovs, A., Melon, F.J.R.: Http security headers analysis of top one million websites. In: 2018 10th International Conference on Cyber Conflict (CyCon) (2018)

    Google Scholar 

  27. Lazarov, M., Onaolapo, J., Stringhini, G.: Honey sheets: what happens to leaked Google spreadsheets? In: Proceedings of the 9th USENIX Conference on Cyber Security Experimentation and Test (CSET 2016), Austin, TX, p. 8 (2016)

    Google Scholar 

  28. Li, W. Mitchell, C.J., Chen, T.: Mitigating CSRF attacks on OAuth 2.0 systems. In: 2018 16th Annual Conference on Privacy, Security and Trust (PST) (2018)

    Google Scholar 

  29. Nikiforakis, N., Balduzzi, M., Acker, S.V., Joosen, W., Balzarotti, D.: Exposing the lack of privacy in file hosting services. In: USENIX Conference on Large-Scale Exploits and Emergent Threats, p. 8, March 2011

    Google Scholar 

  30. Nikiforakis, N., Van Acker, S., Piessens, F., Joosen, W.: Exploring the ecosystem of referrer-anonymizing services. In: Fischer-Hübner, S., Wright, M. (eds.) PETS 2012. LNCS, vol. 7384, pp. 259–278. Springer, Heidelberg (2012).

    CrossRef  Google Scholar 

  31. Onaolapo, J., Lazarov, M., Stringhini, G.: Master of sheets: a tale of compromised cloud documents. In: Proceedings of the Workshop on Attackers and Cyber-Crime Operations (WACCO), Goteborg, Sweden (2019)

    Google Scholar 

  32. Wang, D.Y., Savage, S., Voelker, G.M.: Cloak and dagger. In: Proceedings of the 18th ACM Conference on Computer and Communications Security - CCS 2011 (2011)

    Google Scholar 

  33. Wondracek, G., Holz, T., Kirda, E., Kruegel, C.: A practical attack to de-anonymize social network users. In: IEEE Symposium on Security and Privacy, Oakland, CA, USA. IEEE (2010)

    Google Scholar 

  34. Wu, B., Davison, B.D.: Detecting semantic cloaking on the web. In: Proceedings of the 15th International Conference on World Wide Web - WWW 2006 (2006)

    Google Scholar 

  35. Zheng, G., Peltsverger, S.: Web Analytics Overview, 3rd edn., pp. 7674–7683. IGI Global, Hershey (2015). Encyclopedia of Information Science and Technology

    Google Scholar 

Download references


This work was partially funded by the Office of Naval Research under grants N00014-17-1-2541 and N00014-17-1-2011. We would like to thank the anonymous reviewers for their insightful feedback which helped us improve the final version of our paper.

Author information

Authors and Affiliations


Corresponding authors

Correspondence to Beliz Kaleli , Manuel Egele or Gianluca Stringhini .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Kaleli, B., Egele, M., Stringhini, G. (2019). On the Perils of Leaking Referrers in Online Collaboration Services. In: Perdisci, R., Maurice, C., Giacinto, G., Almgren, M. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2019. Lecture Notes in Computer Science(), vol 11543. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-22037-2

  • Online ISBN: 978-3-030-22038-9

  • eBook Packages: Computer ScienceComputer Science (R0)