Connect with us
ANE Scholarship
Categories:
X

Technology

Sensitive URLs and data accidentally leaked through the Urlscan.io API

Published

on

Sensitive URLs and data accidentally leaked through the Urlscan.io API
Share this post:

Researchers have warned of enterprise software misconfigurations leading to the leak of sensitive records on urlscan.io.

Urlscan.io is a website scan and analysis engine. The system accepts URL submissions and generates a wealth of data, including domains, IPs, DOM information, and cookies, alongside screenshots.

The developers say the engine’s purpose is to allow “anyone to easily and confidently analyze unknown and potentially malicious websites”. Urlscan.io supports many enterprise customers and open source projects, and an API is provided to integrate these checks into third-party products.

GitHub warning

In a blog post published today (November 2), Positive Security said the urlscan API came to its attention due to an email sent by GitHub in February, warning customers that GitHub Pages URLs had been accidentally leaked via a third party during metadata analysis.

“With the type of integration of this API (for example via a security tool that scans every incoming email and performs a urlscan on all links), and the amount of data in the database, there is a wide variety of sensitive data that can be searched for and retrieved by an anonymous user,” the researchers say.

Upon further investigation, Positive Security found that this could include urlscan.io dorks, password reset links, setup pages, Telegram bots, DocuSign signing requests, meeting invitations, package tracking links, and PayPal invoices.

Pingbacks to leaked email addresses appeared to show that misconfigured security tools that submitted links received via email as public scans to urlscan.io were the culprits.

For example, many API integrations utilized generic python-requests/2.X.Y user agents that ignored account visibility settings, thus allowing scans to be wrongfully submitted as public.

SOAR misconfiguration

Positive Security reached out to numerous leaked email addresses and there was only one response – from an organization that sent an employee a DocuSign link to their work contract and subsequently launched an investigation.

The employer found that a misconfiguration of their Security Orchestration, Automation, and Response (SOAR) playbook, which was integrated with urlscan.io, was at fault.

Positive Security examined historic urlscan.io information and uncovered misconfigured clients that could be abused by scraping the system for email addresses and sending them unique links to see if they would appear on urlscan.

For users of such misconfigured clients, password resets for many web services can be triggered, and the leaked link used to set a new password and take over the accounts.

Speaking to Daily Swig, Fabian Bräunlein, co-founder of Positive Security said that this attack vector could be triggered “for personal services like banking or social media or company services such as for popular SaaS or custom applications.

“For many SaaS providers, access to an email address with a certain domain is already sufficient to gain access to internal company data (e.g. chats or code repositories),” Bräunlein added. “In such a case, an attacker does not even need to take over existing accounts but can just create new accounts at interesting services.”

Urlscan overhaul

Once the impact of the issue’s assessment was completed in July, Positive Security reported its findings to urlscan.io. As a result, the cybersecurity firm and urlscan.io developers worked together to address the problems uncovered, leading to the release of a new engine version later in the month.

The improved software includes an enhanced scan visibility interface and team-wide visibility settings.

Urlscan.io subsequently also published Scan Visibility Best Practices, which explain the security benefits and risks posed by three visibility settings users choose between when submitting a URL: ‘Public’, ‘Unlisted’, and ‘Private’.

Urlscan.io has also contacted customers who have submitted vast amounts of public scans and begun reviewing third-party SOAR tool integrations. Finally, the developers have added deletion rules, highlighted visibility settings in the user interface, and implemented a report button to deactivate problematic search results.

“Security teams that run a SOAR platform must make sure that no sensitive data is leaked to the public via integrations of third-party services,” Bräunlein commented.

Urlscan GmbH CEO Johannes Gilger told The Daily Swig: “We welcome the research performed by Positive Security and appreciate their professional conduct while working with us to identify the scope and source of these inadvertent information leaks.

“We have improved the visibility of the relevant settings on our platform, we have educated our users about the issue through a dedicated blog post and we continue to work with third party automation providers to ensure adherence to safe default behaviors.

“A platform like urlscan will always carry the risk of unintended information disclosure due to the nature of its operation, so we take every available measure to minimize the likelihood of these things happening.”


Get More Stories Like This On: Facebook: @AllNaijaEntertainment, Twitter: @AllNaijaEntertainment

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Lionel Messi et World Cup _ AllNaijaEntertainemnt
Sports5 hours ago

All Time Argentina’s Top Goal Scorer At The FIFA World Cup

DOWNLOAD Complete Wednesday (TV series) (2022 film) Season 1 Subtitles File [English SRT] 2022
Entertainment5 hours ago

Will There Be Wednesday (Tv Series) Season 2, Release Date, Cast, Latest News

Fernando Santos has hit out at Cristiano Ronaldo for his reaction to being substituted
Sports5 hours ago

Portugal Coach Fire-back at Ronaldo For Sub Reaction

TIMISIRE THE GOLDEN GIRL by Opeyemi Akintunde _ ANE Story
ANE Stories6 hours ago

[STORY] TIMISIRE THE GOLDEN GIRL (Episode 22)

Behind The Fine Face by Moshood Avidiime - ANE Story
ANE Stories6 hours ago

[STORY] BEHIND THE FINE FACE (Episode 08)

Entertainment6 hours ago

Actress, Keke Palmer announces pregnancy during ‘Saturday Night Live’

News6 hours ago

2023: Time to liberate yourself, vote out APC – Atiku to Lagosians

News6 hours ago

2023: INEC to meet NCC, telcos, on Tuesday

Sports6 hours ago

FIFA World Cup 2022: Croatia beat Japan on penalties to reach World Cup quarter-finals

GraphQL password hash leak problem fixed in Ibexa DXP
Technology8 hours ago

GraphQL password hash leak problem fixed in Ibexa DXP

Chief Dennis Ekpe Ogbu
News8 hours ago

Gunmen kidnap Benue Commissioner for Housing

News8 hours ago

Adeleke threatens to penalize MDAs, starts payment of salaries

Atiku Abubakar
News8 hours ago

FG slams Atiku, ‘You live in Dubai’, you don’t really know Nigeria

Bola Tinubu
News9 hours ago

Tinubu criticizes Arise TV, claiming they wish to profit from him

Bola Tinubu
News9 hours ago

Tinubu Speaks about the debate surrounding his birth certificate and birth date

Singer AV drops highly anticipated debut EP, 'Thug Love'
Entertainment9 hours ago

Singer AV drops highly anticipated debut EP, ‘Thug Love’

I'm disappointed – Blaqbonez reacts to Wizkid's comments
Entertainment9 hours ago

I’m disappointed – Blaqbonez reacts to Wizkid’s comments

News10 hours ago

South Africa parliament to vote on Ramaphosa’s impeachment Tuesday

Education11 hours ago

OAU to graduate 5,852 students, 130 bag first class

News11 hours ago

Oseni: “If I Am To Start With Him, Reno Will Not Exist” – Reno Shares New Audio

Lai Mohammed
News11 hours ago

Atiku has no moral basis to criticise Buhari — Lai Mohammed

News11 hours ago

Elon Musk says risk of him being assassinated is ‘quite significant’

Bitcoin
Technology14 hours ago

Variation in the Types of Cryptocurrencies

Bitcoin
Technology15 hours ago

Factors To Consider Before Choosing Bitcoin Exchange

Bitcoin
Technology15 hours ago

Things You Should Know About Bitcoin Statistics: Future Trends

Bitcoin Cryptocurrency
Technology15 hours ago

Bitcoin For Beginners: An Informative Report On The Digital Currency

News16 hours ago

Oil can’t feed Nigeria anymore – Obasanjo

Sesame Street Icon, Bob McGrath Dies At 90
News16 hours ago

Sesame Street Icon, Bob McGrath Dies At 90

Sigourney Weaver
Entertainment19 hours ago

Sigourney Weaver channelled her own teenage self into role 14-year-old Na’vi Kiri in Avatar: The Way of Water

Kate Winslet was ‘traumatised’ by Titanic – James Cameron
Entertainment19 hours ago

Kate Winslet was ‘traumatised’ by Titanic – James Cameron

Jude Bellingham defends Liverpool star after England win
Sports20 hours ago

Jude Bellingham defends Liverpool star after England win

Gilberto Silva promises to speak to Edu about signing England star
Sports20 hours ago

Gilberto Silva promises to speak to Edu about signing England star

Harry Kane praises team’s mentality after beating Senegal
Sports20 hours ago

Harry Kane praises team’s mentality after beating Senegal

Chelsea confirm signing of Raheem Sterling from Manchester City
Sports20 hours ago

Raheem Sterling to leave England’s World Cup camp after armed robbery

Horoscope20 hours ago

Your daily horoscope for Monday, December 5, 2022

Oil Petroleum
News1 day ago

NNPC not sincere about oil theft, exaggerating figures – Navy

Sports1 day ago

FIFA World Cup 2022: Giroud and Mbappe break records as France reach World Cup quarter-finals

News1 day ago

“I Owe No One Apology For Commending Buhari”: Wike To PDP Members

News1 day ago

NCC Reveals List Of Unapproved Phones In Nigerian Markets To Be Avoided

News2 days ago

Greetings flow in as Buhari and Aisha celebrate 33 years of marriage

DOWNLOAD Complete Wednesday (TV series) (2022 film) Season 1 Subtitles File [English SRT] 2022
Movie Subtitle4 days ago

DOWNLOAD Complete Wednesday (TV series) (2022 film) Season 1 Subtitles File [English SRT] 2022

Troll (2022 film)
Movie Subtitle3 days ago

DOWNLOAD Complete Troll (2022 film) Subtitles File [English SRT] 2022

My Name Is Vendetta (2022 film)
Movie Subtitle3 days ago

DOWNLOAD Complete My Name Is Vendetta (2022 film) Subtitles File [English SRT] 2022

The Virgin Wife - ANE Story
ANE Stories7 days ago

[STORY] THE VIRGIN WIFE (Complete Episodes)

Behind The Fine Face by Moshood Avidiime - ANE Story
ANE Stories7 days ago

[STORY] BEHIND THE FINE FACE (Complete Episodes)

Timaya
Music7 days ago

[Music] Timaya – Sweet Us (As e Dey Sweet Us e Dey Pain Dem)

Kim Kardashian Butt
Celebrity7 days ago

Top 10 Celebrities With Brazilian Butt Lift Surgery (BBL) [PHOTOS]

The Virgin Wife - ANE Story
ANE Stories7 days ago

[STORY] THE VIRGIN WIFE (Episode 06)

The Virgin Wife - ANE Story
ANE Stories7 days ago

[STORY] THE VIRGIN WIFE (Episode 07)

The Virgin Wife - ANE Story
ANE Stories7 days ago

[STORY] THE VIRGIN WIFE (Episode 01)

The Virgin Wife - ANE Story
ANE Stories7 days ago

[STORY] THE VIRGIN WIFE (Episode 02)

The Virgin Wife - ANE Story
ANE Stories7 days ago

[STORY] THE VIRGIN WIFE (Episode 12)

The Virgin Wife - ANE Story
ANE Stories7 days ago

[STORY] THE VIRGIN WIFE (Episode 05)

The Virgin Wife - ANE Story
ANE Stories7 days ago

[STORY] THE VIRGIN WIFE (Final Episode 13)

The Virgin Wife - ANE Story
ANE Stories7 days ago

[STORY] THE VIRGIN WIFE (Episode 04)

The Virgin Wife - ANE Story
ANE Stories7 days ago

[STORY] THE VIRGIN WIFE (Episode 10)

The Virgin Wife - ANE Story
ANE Stories7 days ago

[STORY] THE VIRGIN WIFE (Episode 08)

DIARY OF A PASTOR’S SON by Frank The Writer - AllNaijaEntertainment
ANE Stories3 days ago

[STORY] DIARY OF A PASTOR’S SON (Complete Episodes)

The Virgin Wife - ANE Story
ANE Stories7 days ago

[STORY] THE VIRGIN WIFE (Episode 03)

Horoscope5 days ago

Your daily horoscope for Thursday, December 1, 2022

Behind The Fine Face by Moshood Avidiime - ANE Story
ANE Stories7 days ago

[STORY] BEHIND THE FINE FACE (Episode 01)

Behind The Fine Face by Moshood Avidiime - ANE Story
ANE Stories7 days ago

[STORY] BEHIND THE FINE FACE (Episode 04)

Aunty Success
Celebrity4 days ago

Top 5 Richest Kid Nigerian Skit Makers And How Their Networth

Sven-Goran Eriksson
Sports4 days ago

Who Manchester United should sign instead of Cody Gakpo – Sven-Goran Eriksson

Kehlani Goes Viral After Flirting With Underage Girl At Concert
Celebrity7 days ago

Kehlani Goes Viral After Flirting With Underage Girl At Concert

Behind The Fine Face by Moshood Avidiime - ANE Story
ANE Stories7 days ago

[STORY] BEHIND THE FINE FACE (Episode 02)

Blood & Water (South African TV series)
Movie Subtitle3 days ago

DOWNLOAD Complete Blood & Water (TV series) (2022 film) Season 3 Subtitles File [English SRT] 2022

The Virgin Wife - ANE Story
ANE Stories7 days ago

[STORY] THE VIRGIN WIFE (Episode 11)

Behind The Fine Face by Moshood Avidiime - ANE Story
ANE Stories7 days ago

[STORY] BEHIND THE FINE FACE (Episode 03)

Antony marked his Manchester United debut with a well-taken goal against Arsenal on Sunday, becoming the first Brazilian to score on his Premier League bow for the club. The winger, who arrived from Ajax in an £81.3million (€95m) deal, latched onto Marcus Rashford’s well-timed pass to slot home after 35 minutes, handing the Red Devils a 1-0 lead at Old Trafford. Antony became the ninth Brazilian player to appear for United in the Premier League. At the age of 22 years and 192 days, Antony’s goal made him the youngest Brazilian to score on his Premier League debut for any team. Casemiro became the eighth Brazilian to appear for United in the competition last month after joining from Real Madrid, but the midfielder is still awaiting his first start for the club. Antony was United’s most costly addition in a busy transfer window, having joined the likes of Christian Eriksen, Tyrell Malacia, Lisandro Martinez, Casemiro and Martin Dubravka in making the switch to Old Trafford.
Sports6 days ago

Antony blames Qatar’s air conditioning for World Cup illness

The Virgin Wife - ANE Story
ANE Stories7 days ago

[STORY] THE VIRGIN WIFE (Episode 09)

Timaya
Lyrics7 days ago

Timaya – Sweet Us [Lyrics]

Behind The Fine Face by Moshood Avidiime - ANE Story
ANE Stories4 days ago

[STORY] BEHIND THE FINE FACE (Episode 05)

TIMISIRE THE GOLDEN GIRL by Opeyemi Akintunde _ ANE Story
ANE Stories4 days ago

[STORY] TIMISIRE THE GOLDEN GIRL (Episode 20)

Chelsea set to sign Andrey Santos in January
Sports6 days ago

Chelsea set to sign Andrey Santos in January

APC, PDP ridicule Labour Party over the campaign list issue
News6 days ago

Victoria Chintex assassinated in Kaduna State

DIARY OF A PASTOR’S SON by Frank The Writer - AllNaijaEntertainment
ANE Stories3 days ago

[STORY] DIARY OF A PASTOR’S SON (Episode 01)

News3 days ago

Buhari Appoints Hairdresser As Boss Of Financial Institution – Lawyers Demand Sack

DIARY OF A PASTOR’S SON by Frank The Writer - AllNaijaEntertainment
ANE Stories3 days ago

[STORY] DIARY OF A PASTOR’S SON (Episode 02)

Cardi B
Celebrity7 days ago

Cardi B Threatens To Murder Comedian Nicole Arbour’s Mother

ANE Billboard Hots