Security researchers warn that “sensitive information” is being leaked by urlscan.io, a website scanner for suspicious and malicious URLs. “Sensitive URLs for shared documents, password reset pages, team invitations, payment invoices and more are publicly listed and searchable,” Positive Security co-founder Fabian Brunlein said in a report published on November 2, 2022.
The Berlin-based cybersecurity firm said it began the investigation after a notification sent by GitHub in February 2022 to an unknown number of users about sharing their usernames and private repository names (ie, URLs of GitHub pages) to urlscan.io for metadata. Analysis as part of an automated process. Urlscan.io, described as a sandbox for the web, is integrated into many security solutions through its API.
“With the type of integration of this API (for example through a security tool that scans every incoming email and does a urlscan on all links), and the amount of data in the database, a wide variety of sensitive data can be searched and retrieved . . . by an anonymous user,” Brunlein noted.
This includes password reset links, email unsubscribe links, account creation URLs, API keys, information about Telegram bots, DocuSign signature requests, shared Google Drive links, Dropbox file transfers, invitation links to services such as SharePoint, Discord and Zoom, PayPal invoices, Cisco. . . Webex meetings are also URLs for recordings and package tracking.
Brunlein pointed out that an initial search in February revealed “juicy URLs” belonging to Apple domains, some of which contained publicly shared links to iCloud files and calendar invitation responses. They have since been removed. Apple is said to have requested that its domains be excluded from URL scans, meaning that results matching certain predefined rules are periodically removed.
Positive Security added that it received a response from an unnamed company that identified a DocuSign Work Contract link leak related to a misconfiguration of its Security Orchestration, Automation, and Response (SOAR) solution, and that this was one of many leaks. Email addresses. , which is integrating with urlscan.io. In addition, the analysis also found that misconfigured security tools submitted any link received via mail as a public scan to urlscan.io.
A malicious actor can trigger password reset links for affected email addresses and use scan results to capture URLs and take over accounts by resetting them to a password of the attacker’s choice, which can have serious consequences.
Urlscan.io, after a responsible disclosure from Positive Security in July 2022, said, “Understand the various scan visibilities, review your own scans for non-public information, review your automated submission workflows [and] implement maximum scan visibility. Your account.” “
It also added deletion rules to regularly delete past and future scans that match search patterns, noting that it includes domain and URL pattern blacklists to prevent specific websites from being scanned.
“This information can be used by spammers to harvest email addresses and other personal information,” Brunlein said. “Cybercriminals can use it to take over accounts and run phishing campaigns.”
