Connect with us
X
Categories:

Technology

Sensitive URLs and data accidentally leaked through the Urlscan.io API

Published

on

Sensitive URLs and data accidentally leaked through the Urlscan.io API
Share this post:

Researchers have warned of enterprise software misconfigurations leading to the leak of sensitive records on urlscan.io.

Urlscan.io is a website scan and analysis engine. The system accepts URL submissions and generates a wealth of data, including domains, IPs, DOM information, and cookies, alongside screenshots.

The developers say the engine’s purpose is to allow “anyone to easily and confidently analyze unknown and potentially malicious websites”. Urlscan.io supports many enterprise customers and open source projects, and an API is provided to integrate these checks into third-party products.

GitHub warning

In a blog post published today (November 2), Positive Security said the urlscan API came to its attention due to an email sent by GitHub in February, warning customers that GitHub Pages URLs had been accidentally leaked via a third party during metadata analysis.

“With the type of integration of this API (for example via a security tool that scans every incoming email and performs a urlscan on all links), and the amount of data in the database, there is a wide variety of sensitive data that can be searched for and retrieved by an anonymous user,” the researchers say.

Upon further investigation, Positive Security found that this could include urlscan.io dorks, password reset links, setup pages, Telegram bots, DocuSign signing requests, meeting invitations, package tracking links, and PayPal invoices.

Pingbacks to leaked email addresses appeared to show that misconfigured security tools that submitted links received via email as public scans to urlscan.io were the culprits.

For example, many API integrations utilized generic python-requests/2.X.Y user agents that ignored account visibility settings, thus allowing scans to be wrongfully submitted as public.

SOAR misconfiguration

Positive Security reached out to numerous leaked email addresses and there was only one response – from an organization that sent an employee a DocuSign link to their work contract and subsequently launched an investigation.

The employer found that a misconfiguration of their Security Orchestration, Automation, and Response (SOAR) playbook, which was integrated with urlscan.io, was at fault.

Positive Security examined historic urlscan.io information and uncovered misconfigured clients that could be abused by scraping the system for email addresses and sending them unique links to see if they would appear on urlscan.

For users of such misconfigured clients, password resets for many web services can be triggered, and the leaked link used to set a new password and take over the accounts.

Speaking to Daily Swig, Fabian Bräunlein, co-founder of Positive Security said that this attack vector could be triggered “for personal services like banking or social media or company services such as for popular SaaS or custom applications.

“For many SaaS providers, access to an email address with a certain domain is already sufficient to gain access to internal company data (e.g. chats or code repositories),” Bräunlein added. “In such a case, an attacker does not even need to take over existing accounts but can just create new accounts at interesting services.”

Urlscan overhaul

Once the impact of the issue’s assessment was completed in July, Positive Security reported its findings to urlscan.io. As a result, the cybersecurity firm and urlscan.io developers worked together to address the problems uncovered, leading to the release of a new engine version later in the month.

The improved software includes an enhanced scan visibility interface and team-wide visibility settings.

Urlscan.io subsequently also published Scan Visibility Best Practices, which explain the security benefits and risks posed by three visibility settings users choose between when submitting a URL: ‘Public’, ‘Unlisted’, and ‘Private’.

Urlscan.io has also contacted customers who have submitted vast amounts of public scans and begun reviewing third-party SOAR tool integrations. Finally, the developers have added deletion rules, highlighted visibility settings in the user interface, and implemented a report button to deactivate problematic search results.

“Security teams that run a SOAR platform must make sure that no sensitive data is leaked to the public via integrations of third-party services,” Bräunlein commented.

Urlscan GmbH CEO Johannes Gilger told The Daily Swig: “We welcome the research performed by Positive Security and appreciate their professional conduct while working with us to identify the scope and source of these inadvertent information leaks.

“We have improved the visibility of the relevant settings on our platform, we have educated our users about the issue through a dedicated blog post and we continue to work with third party automation providers to ensure adherence to safe default behaviors.

“A platform like urlscan will always carry the risk of unintended information disclosure due to the nature of its operation, so we take every available measure to minimize the likelihood of these things happening.”


Get More Stories Like This On: Facebook: @AllNaijaEntertainment, Twitter: @AllNaijaEntertainment
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Expanding Living Space
Lifestyle3 weeks ago

Expanding Living Space: Prefabricated Workshop Building Kits for Extra Rooms

BeBe Winans
Lyrics1 month ago

BeBe Winans – It All Comes Down to Love [Lyrics]

BeBe Winans
Music1 month ago

[Music] BeBe Winans – It All Comes Down to Love

The Countdown Begins to the Tournament That Has It All
ANE Football Analytical2 months ago

AFCON 2023: A Sporting Spectacle Set to Captivate the World

Litecoin: What Makes It The Crypto Winner?
Technology3 months ago

Runny Inflation Can Drive Cryptocurrency Adoption

Black and White French Bulldog puppies Frenchie Joy
Lifestyle3 months ago

Black and White French Bulldog puppies Frenchie Joy

3 Serious Reasons to Keep Your Teenager Away From Social Media
Lifestyle3 months ago

3 Serious Reasons to Keep Your Teenager Away From Social Media

Boxing vs MMA What Makes Them So Different
Sports4 months ago

Boxing vs MMA: What Makes Them So Different

Roisea: Most Advanced Crypto Trading Platform for Bitcoin
Technology4 months ago

NFTs and Intellectual Property Rights: Shaping Creative Ownership

The Birth of a Rugby Nation South Africas Love Affair with the Sport
Sports8 months ago

The Birth of a Rugby Nation: South Africa’s Love Affair with the Sport

A Beginner's Guide to Radicle (RAD): The Future of Peer-to-Peer Development
Technology9 months ago

A Beginner’s Guide to Radicle (RAD): The Future of Peer-to-Peer Development

Analysis of Nigeria's Renewable Energy Sector: Opportunities and Challenges
Technology10 months ago

Analysis of Nigeria’s Renewable Energy Sector: Opportunities and Challenges

Casino Gaming Poker
Sports10 months ago

What Are The Various Types Of Online Slots?

Luka Modric celebrates after scoring Real Madrid's second goal against Celta Vigo.
Sports11 months ago

Luka Modric set to join Ronaldo in Saudi Arabia’s Al Nassr

WHO World Health Organization
Health11 months ago

WHO debunks claims that tuberculosis is caused by witchcraft, poison

Atiku Abubakar
News11 months ago

2023 Election: Why DSS must arrest Fani-Kayode – Atiku

PDP Logo Umbrella
News11 months ago

PDP suspends National Chairman

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories11 months ago

[STORY] THE PASTOR’S DAUGHTER (Final Episode 13)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories12 months ago

[STORY] THE PASTOR’S DAUGHTER (Episode 12)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories12 months ago

[STORY] THE PASTOR’S DAUGHTER (Episode 11)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories12 months ago

[STORY] THE PASTOR’S DAUGHTER (Episode 10)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories12 months ago

[STORY] THE PASTOR’S DAUGHTER (Episode 09)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories12 months ago

[STORY] THE PASTOR’S DAUGHTER (Episode 08)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories12 months ago

[STORY] THE PASTOR’S DAUGHTER (Episode 07)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories12 months ago

[STORY] THE PASTOR’S DAUGHTER (Episode 06)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories12 months ago

[STORY] THE PASTOR’S DAUGHTER (Episode 05)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories12 months ago

[STORY] THE PASTOR’S DAUGHTER (Episode 04)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories12 months ago

[STORY] THE PASTOR’S DAUGHTER (Episode 03)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories12 months ago

[STORY] THE PASTOR’S DAUGHTER (Episode 02)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories12 months ago

[STORY] THE PASTOR’S DAUGHTER (Episode 01)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories12 months ago

[STORY] THE PASTOR’S DAUGHTER (Complete Episodes)

Papa Loves His Girls by Opeyemi Ojerinde Akintunde_ANE Stories
ANE Stories12 months ago

[STORY] PAPA LOVES HIS GIRLS (Episode 16)

Papa Loves His Girls by Opeyemi Ojerinde Akintunde_ANE Stories
ANE Stories12 months ago

[STORY] PAPA LOVES HIS GIRLS (Episode 15)

Papa Loves His Girls by Opeyemi Ojerinde Akintunde_ANE Stories
ANE Stories12 months ago

[STORY] PAPA LOVES HIS GIRLS (Episode 14)

Papa Loves His Girls by Opeyemi Ojerinde Akintunde_ANE Stories
ANE Stories12 months ago

[STORY] PAPA LOVES HIS GIRLS (Episode 13)

Papa Loves His Girls by Opeyemi Ojerinde Akintunde_ANE Stories
ANE Stories12 months ago

[STORY] PAPA LOVES HIS GIRLS (Episode 12)

Papa Loves His Girls by Opeyemi Ojerinde Akintunde_ANE Stories
ANE Stories12 months ago

[STORY] PAPA LOVES HIS GIRLS (Episode 11)

Papa Loves His Girls by Opeyemi Ojerinde Akintunde_ANE Stories
ANE Stories12 months ago

[STORY] PAPA LOVES HIS GIRLS (Episode 10)

Papa Loves His Girls by Opeyemi Ojerinde Akintunde_ANE Stories
ANE Stories12 months ago

[STORY] PAPA LOVES HIS GIRLS (Episode 09)

Papa Loves His Girls by Opeyemi Ojerinde Akintunde_ANE Stories
ANE Stories12 months ago

[STORY] PAPA LOVES HIS GIRLS (Episode 08)

ANE Billboard Hots