Experts Find Urlscan Security Scanner Inadvertently Leaks Sensitive URLs and Data
Security researchers are warning of “a trove of sensitive information” leaking through urlscan.io, a website scanner for suspicious and malicious URLs.
“Sensitive URLs to shared documents, password reset pages, team invites, payment invoices and more are publicly listed and searchable,” Positive Security co-founder, Fabian Bräunlein, said in a report published on November 2, 2022.
The Berlin-based cybersecurity firm said it started an investigation in the aftermath of a notification sent by GitHub in February 2022 to an unknown number of users about sharing their usernames and private repository names (i.e., GitHub Pages URLs) to urlscan.io for metadata analysis as part of an automated process.
Urlscan.io, which has been described as a sandbox for the web, is integrated into several security solutions via its API.
“With the type of integration of this API (for example via a security tool that scans every incoming email and performs a urlscan on all links), and the amount of data in the database, there is a wide variety of sensitive data that can be searched for and retrieved by an anonymous user,” Bräunlein noted.
This included password reset links, email unsubscribe links, account creation URLs, API keys, information about Telegram bots, DocuSign signing requests, shared Google Drive links, Dropbox file transfers, invite links to services like SharePoint, Discord, Zoom, PayPal invoices, Cisco Webex meeting recordings, and even URLs for package tracking.
Bräunlein pointed out that an initial search in February revealed “juicy URLs” belonging to Apple domains, some of which also consisted of publicly-shared links to iCloud files and calendar invite responses, and have since been removed.
Apple is said to have requested an exclusion of its domains from the URL scans such that results matching certain predefined rules are periodically deleted.
Positive Security further added that it reached out to a number of those leaked email addresses, receiving one response from an unnamed organization that traced the leak of a DocuSign work contract link to a misconfiguration of its Security Orchestration, Automation, and Response (SOAR) solution, which was being integrated with urlscan.io.
On top of that, the analysis has also found that misconfigured security tools are submitting any link received via mail as a public scan to urlscan.io.
This could have serious consequences wherein a malicious actor can trigger password reset links for the affected email addresses and exploit the scan results to capture the URLs and take over the accounts by resetting to a password of the attacker’s choice.
To maximize the effectiveness of such an attack, the adversary can search data breach notification sites like Have I Been Pwned to determine the exact services that were registered using the email addresses in question.
Urlscan.io, following responsible disclosure from Positive Security in July 2022, has urged users to “understand the different scan visibilities, review your own scans for non-public information, review your automated submission workflows, [and] enforce a maximum scan visibility for your account.”
It has also added deletion rules to regularly purge delete past and future scans matching the search patterns, stating it has domain and URL pattern blocklists in place to prevent scanning of particular websites.
“This information could be used by spammers to collect email addresses and other personal information,” Bräunlein said. “It could be used by cyber criminals to take over accounts and run believable phishing campaigns.”