Connect with us
X
Categories:

Technology

Sensitive URLs and data accidentally leaked through the Urlscan.io API

Published

on

Sensitive URLs and data accidentally leaked through the Urlscan.io API
Share this post:

Researchers have warned of enterprise software misconfigurations leading to the leak of sensitive records on urlscan.io.

Urlscan.io is a website scan and analysis engine. The system accepts URL submissions and generates a wealth of data, including domains, IPs, DOM information, and cookies, alongside screenshots.

The developers say the engine’s purpose is to allow “anyone to easily and confidently analyze unknown and potentially malicious websites”. Urlscan.io supports many enterprise customers and open source projects, and an API is provided to integrate these checks into third-party products.

GitHub warning

In a blog post published today (November 2), Positive Security said the urlscan API came to its attention due to an email sent by GitHub in February, warning customers that GitHub Pages URLs had been accidentally leaked via a third party during metadata analysis.

“With the type of integration of this API (for example via a security tool that scans every incoming email and performs a urlscan on all links), and the amount of data in the database, there is a wide variety of sensitive data that can be searched for and retrieved by an anonymous user,” the researchers say.

Upon further investigation, Positive Security found that this could include urlscan.io dorks, password reset links, setup pages, Telegram bots, DocuSign signing requests, meeting invitations, package tracking links, and PayPal invoices.

Pingbacks to leaked email addresses appeared to show that misconfigured security tools that submitted links received via email as public scans to urlscan.io were the culprits.

For example, many API integrations utilized generic python-requests/2.X.Y user agents that ignored account visibility settings, thus allowing scans to be wrongfully submitted as public.

SOAR misconfiguration

Positive Security reached out to numerous leaked email addresses and there was only one response – from an organization that sent an employee a DocuSign link to their work contract and subsequently launched an investigation.

The employer found that a misconfiguration of their Security Orchestration, Automation, and Response (SOAR) playbook, which was integrated with urlscan.io, was at fault.

Positive Security examined historic urlscan.io information and uncovered misconfigured clients that could be abused by scraping the system for email addresses and sending them unique links to see if they would appear on urlscan.

For users of such misconfigured clients, password resets for many web services can be triggered, and the leaked link used to set a new password and take over the accounts.

Speaking to Daily Swig, Fabian Bräunlein, co-founder of Positive Security said that this attack vector could be triggered “for personal services like banking or social media or company services such as for popular SaaS or custom applications.

“For many SaaS providers, access to an email address with a certain domain is already sufficient to gain access to internal company data (e.g. chats or code repositories),” Bräunlein added. “In such a case, an attacker does not even need to take over existing accounts but can just create new accounts at interesting services.”

RECOMMENDED  BHUSA: Make sure your security bug bounty program doesn't lead to a data leak of its own.

Urlscan overhaul

Once the impact of the issue’s assessment was completed in July, Positive Security reported its findings to urlscan.io. As a result, the cybersecurity firm and urlscan.io developers worked together to address the problems uncovered, leading to the release of a new engine version later in the month.

The improved software includes an enhanced scan visibility interface and team-wide visibility settings.

Urlscan.io subsequently also published Scan Visibility Best Practices, which explain the security benefits and risks posed by three visibility settings users choose between when submitting a URL: ‘Public’, ‘Unlisted’, and ‘Private’.

Urlscan.io has also contacted customers who have submitted vast amounts of public scans and begun reviewing third-party SOAR tool integrations. Finally, the developers have added deletion rules, highlighted visibility settings in the user interface, and implemented a report button to deactivate problematic search results.

“Security teams that run a SOAR platform must make sure that no sensitive data is leaked to the public via integrations of third-party services,” Bräunlein commented.

Urlscan GmbH CEO Johannes Gilger told The Daily Swig: “We welcome the research performed by Positive Security and appreciate their professional conduct while working with us to identify the scope and source of these inadvertent information leaks.

“We have improved the visibility of the relevant settings on our platform, we have educated our users about the issue through a dedicated blog post and we continue to work with third party automation providers to ensure adherence to safe default behaviors.

“A platform like urlscan will always carry the risk of unintended information disclosure due to the nature of its operation, so we take every available measure to minimize the likelihood of these things happening.”


Get More Stories Like This On: Facebook: @AllNaijaEntertainment, Twitter: @AllNaijaEntertainment
General7 hours ago

Skylar Grey – Everything I Need [LYRICS]

General7 hours ago

[Music] Diddy – Dirty Money – “Coming Home” Feat. Skylar Grey

General7 hours ago

Diddy – Dirty Money – “Coming Home” Feat. Skylar Grey [LYRICS]

General7 hours ago

[Music] African China – Amen

General7 hours ago

[Music] African China – Baba God

General7 hours ago

African China – Baba God [LYRICS]

General7 hours ago

Machine Gun Kelly (MGK) “Home” Feat X Ambassadors & Bebe Rexha [LYRICS]

General8 hours ago

Passenger – Let Her Go [LYRICS]

General8 hours ago

[Music] Eminem – “No Love” Feat. Lil Wayne

General8 hours ago

Eminem – “No Love” Feat. Lil Wayne [LYRICS]

Music8 hours ago

[Music] Tatiana Manaois – Buzz Kill

General8 hours ago

Tatiana Manaois – Buzz Kill [LYRICS]

General8 hours ago

James Blunt – Goodbye My Lover [LYRICS]

General8 hours ago

Major Lazer – “Particula” Feat. Nasty C , Ice Prince, Patoranking & Jidenna [LYRICS]

General8 hours ago

James Blunt – You’re Beautiful [LYRICS]

General8 hours ago

Justin Timberlake – Mirrors [LYRICS]

General8 hours ago

[Music] Darey – “Pray For Me” feat. Soweto Gospel Choir

General8 hours ago

Eminem – “Love The Way You Lie” Feat. Rihanna [LYRICS]

General8 hours ago

Goldlink ft. Miguel – Got Friends [LYRICS]

General8 hours ago

Sia – I’m Still Here [LYRICS]

General8 hours ago

Yo Gotti ft. Nicki Minaj – Rake It Up [LYRICS]

General9 hours ago

Shane McMahon – Here Comes The Money [LYRICS]

General9 hours ago

Journey – Faithfully [LYRICS]

General9 hours ago

[Music] Journey – Faithfully

General9 hours ago

Eminem – Not Afraid [LYRICS]

General9 hours ago

[Music] Journey – Don’t Stop Believin’

General9 hours ago

Journey – Don’t Stop Believin’ [LYRICS]

General9 hours ago

21 Savage – Bank Account [LYRICS]

General9 hours ago

Demi Lovato – Sober [LYRICS]

General10 hours ago

Beyonce ft. Jay-Z – Apeshit [LYRICS]

General10 hours ago

Nasty C ft. ASAP Ferg – King [LYRICS]

General10 hours ago

Lil Wayne – Uproar [LYRICS]

Ed Sheeran
Lyrics10 hours ago

Ed Sheeran – Perfect [LYRICS]

General10 hours ago

[Music] Mo’Hits All Star – Close To You

General10 hours ago

Lil Dicky ft. Chris Brown – Freaky Friday [LYRICS]

Michael Jackson
Lyrics10 hours ago

Michael Jackson – Stranger In Moscow [LYRICS]

General10 hours ago

[Music] Celine Dion – I Drove All Night

General10 hours ago

Celine Dion – I Drove All Night [LYRICS]

General10 hours ago

Tatiana Manaois – Hey Little Lady [LYRICS]

Music10 hours ago

[Music] Tatiana Manaois – Live Better

Gnash (singer)
Music4 days ago

[Music] Gnash Ft Olivia O’Brien – I Hate you, I Love you

John Legend
Music1 day ago

[INSTRUMENTAL] John Legend – All Of Me

Alan Walker
Music5 days ago

Alan Walker – Faded [INSTRUMENTAL]

21 Savage
Music2 days ago

[Video] 21 Savage ft. Offset & Metro Boomin – Rap Saved Me

Wiz Khalifa
Music4 days ago

[Instrumental] Wiz Khalifa – See You Again ft. Charlie Puth

General7 days ago

[Music] Sapientdream – Pastlives

Salvation Ministry Choir Amen
Lyrics2 days ago

Salvation Ministry Choir – Amen [LYRICS]

General7 days ago

[Music] Don Omar – Danza Kuduro (feat. Lucenzo)

General5 days ago

[Music] The Chainsmokers – ‘Don’t Let Me Down’ Feat. Daya

General7 days ago

Ladé – Adulthood Anthem (Adulthood Na Scam) [Lyrics]

General7 days ago

[Music] Timbaland – Apologize ft. OneRepublic

Powfu (singer)
Music4 days ago

[Music] Powfu – Death Bed (Coffee for Your Head) Feat. Beabadoobee

General5 days ago

[Music] Wyclef Jean – “Sweetest Girl (Dollar Bill)” Feat. Akon, Lil Wayne, Niia

General3 days ago

[Music] Zayn Malik – Entertainer

Wiz Khalifa - See You Again ft. Charlie Puth
Music4 days ago

[Music] Wiz Khalifa – See You Again ft. Charlie Puth

Music3 days ago

[Music] Exalted Tribe (HICC) – We Dey Halla

Anna Kendrick
Music4 days ago

[Music] Anna Kendrick – Cups (Pitch Perfect’s “When I’m Gone”)

General7 hours ago

[Music] Diddy – Dirty Money – “Coming Home” Feat. Skylar Grey

General1 day ago

[Music] John Legend – Love Me Now

Right Said Fred
Music4 days ago

[Music] Right Said Fred – Stand Up (For the Champions)

Salvation Ministries Mass Choir
Music2 days ago

[Music] Salvation Ministries Choir – Chioma Me Eh(Good God)

General12 hours ago

[Music] Celine Dion – If That’s What It Takes

Salvation Ministries Mass Choir
Lyrics2 days ago

Salvation Ministries Choir – Chioma Me Eh(Good God) [LYRICS]

General13 hours ago

[Music] P!nk – Try

General6 days ago

[Music] Shaggy – Strength Of A Woman

General2 days ago

[Music] Jaden Smith – Goku

Music4 days ago

[Music] Wiz Khalifa – See You Again (Remix) Feat Charlie Puth, Eminem, Tyga, & Chris Brown

R. Kelly
Music4 days ago

[Music] R. Kelly – World’s Greatest

General1 day ago

Magic! — Rude [LYRICS]

General9 hours ago

[Music] Journey – Don’t Stop Believin’

General6 days ago

[Music] Justin Bieber – Love Me

General2 days ago

[Music] Cardi B – Bartier Cardi ft. 21 Savage

General7 days ago

[Music] Lionel Richie – Angel

General3 days ago

[Music] Tyga ft. Offset – Taste

General13 hours ago

[Music] P!nk – “Just Give Me A Reason” Feat. Nate Ruess

General7 days ago

[Music] BIG SHAQ – Man’s Not Hot

General3 days ago

[Music] 21 Savage ft. Offset & Metro Boomin – Rap Saved Me

General7 days ago

[Music] Shayne Ward – Breathless

General6 days ago

[Music] Post Malone – Candy Paint

General5 days ago

[Music] R Kelly – When A Woman Loves

ANE Billboard Hots



Join "ANE sabi" clique

Don't miss a thing, get ogbonge ANE latest updates to fuel your conversation daily.