Connect with us
X
Categories:

Technology

Sensitive URLs and data accidentally leaked through the Urlscan.io API

Published

on

Sensitive URLs and data accidentally leaked through the Urlscan.io API
Share this post:

Researchers have warned of enterprise software misconfigurations leading to the leak of sensitive records on urlscan.io.

Urlscan.io is a website scan and analysis engine. The system accepts URL submissions and generates a wealth of data, including domains, IPs, DOM information, and cookies, alongside screenshots.

The developers say the engine’s purpose is to allow “anyone to easily and confidently analyze unknown and potentially malicious websites”. Urlscan.io supports many enterprise customers and open source projects, and an API is provided to integrate these checks into third-party products.

GitHub warning

In a blog post published today (November 2), Positive Security said the urlscan API came to its attention due to an email sent by GitHub in February, warning customers that GitHub Pages URLs had been accidentally leaked via a third party during metadata analysis.

“With the type of integration of this API (for example via a security tool that scans every incoming email and performs a urlscan on all links), and the amount of data in the database, there is a wide variety of sensitive data that can be searched for and retrieved by an anonymous user,” the researchers say.

Upon further investigation, Positive Security found that this could include urlscan.io dorks, password reset links, setup pages, Telegram bots, DocuSign signing requests, meeting invitations, package tracking links, and PayPal invoices.

Pingbacks to leaked email addresses appeared to show that misconfigured security tools that submitted links received via email as public scans to urlscan.io were the culprits.

For example, many API integrations utilized generic python-requests/2.X.Y user agents that ignored account visibility settings, thus allowing scans to be wrongfully submitted as public.

SOAR misconfiguration

Positive Security reached out to numerous leaked email addresses and there was only one response – from an organization that sent an employee a DocuSign link to their work contract and subsequently launched an investigation.

The employer found that a misconfiguration of their Security Orchestration, Automation, and Response (SOAR) playbook, which was integrated with urlscan.io, was at fault.

Positive Security examined historic urlscan.io information and uncovered misconfigured clients that could be abused by scraping the system for email addresses and sending them unique links to see if they would appear on urlscan.

For users of such misconfigured clients, password resets for many web services can be triggered, and the leaked link used to set a new password and take over the accounts.

Speaking to Daily Swig, Fabian Bräunlein, co-founder of Positive Security said that this attack vector could be triggered “for personal services like banking or social media or company services such as for popular SaaS or custom applications.

“For many SaaS providers, access to an email address with a certain domain is already sufficient to gain access to internal company data (e.g. chats or code repositories),” Bräunlein added. “In such a case, an attacker does not even need to take over existing accounts but can just create new accounts at interesting services.”

RECOMMENDED  Apple explores software innovation with iPhone 16

Urlscan overhaul

Once the impact of the issue’s assessment was completed in July, Positive Security reported its findings to urlscan.io. As a result, the cybersecurity firm and urlscan.io developers worked together to address the problems uncovered, leading to the release of a new engine version later in the month.

The improved software includes an enhanced scan visibility interface and team-wide visibility settings.

Urlscan.io subsequently also published Scan Visibility Best Practices, which explain the security benefits and risks posed by three visibility settings users choose between when submitting a URL: ‘Public’, ‘Unlisted’, and ‘Private’.

Urlscan.io has also contacted customers who have submitted vast amounts of public scans and begun reviewing third-party SOAR tool integrations. Finally, the developers have added deletion rules, highlighted visibility settings in the user interface, and implemented a report button to deactivate problematic search results.

“Security teams that run a SOAR platform must make sure that no sensitive data is leaked to the public via integrations of third-party services,” Bräunlein commented.

Urlscan GmbH CEO Johannes Gilger told The Daily Swig: “We welcome the research performed by Positive Security and appreciate their professional conduct while working with us to identify the scope and source of these inadvertent information leaks.

“We have improved the visibility of the relevant settings on our platform, we have educated our users about the issue through a dedicated blog post and we continue to work with third party automation providers to ensure adherence to safe default behaviors.

“A platform like urlscan will always carry the risk of unintended information disclosure due to the nature of its operation, so we take every available measure to minimize the likelihood of these things happening.”


Get More Stories Like This On: Facebook: @AllNaijaEntertainment, Twitter: @AllNaijaEntertainment
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Realme GT Neo 7 will pack current top-performing SoC in AnTuTu's ranking — Tipster
Technology4 hours ago

Realme GT Neo 7 will pack current top-performing SoC in AnTuTu’s ranking — Tipster

Samsung Galaxy S24 FE receives October 2024 security patch following recent critical Galaxy bug
Technology4 hours ago

Samsung Galaxy S24 FE receives October 2024 security patch following recent critical Galaxy bug

The key to Kai Havertz's success at Arsenal — Mikel Arteta
Sports5 hours ago

The key to Kai Havertz’s success at Arsenal — Mikel Arteta

Martin Odegaard gives injury update ahead of Arsenal vs Southampton
Sports5 hours ago

Martin Odegaard gives injury update ahead of Arsenal vs Southampton

The government orders evacuation as Ondo suffers greatly by flooding
News5 hours ago

The government orders evacuation as Ondo suffers greatly by flooding

Ogun State commissioner salutes teachers’ resilience and courage
News6 hours ago

Ogun State commissioner salutes teachers’ resilience and courage

Police arrest suspected serial killer in Ogun State
News6 hours ago

Police arrest suspected serial killer in Ogun State

Success not only defined by winning awards — Adediwura Blarkgold
Entertainment7 hours ago

Success not only defined by winning awards — Adediwura Blarkgold

I’m not interested in BBL — Ebun Hodo
Entertainment7 hours ago

I’m not interested in BBL — Ebun Hodo

Memories of how "Alaga Ibile" transformed his life and sold 13 million copies — Reminisce
Entertainment8 hours ago

Memories of how “Alaga Ibile” transformed his life and sold 13 million copies — Reminisce

Chris Brown sells out Africa's largest stadium in just 2 hours
Entertainment8 hours ago

Chris Brown sells out Africa’s largest stadium in just 2 hours

Apple's upcoming affordable iPhone would allegedly mix features from past three flagships
Technology19 hours ago

Apple’s upcoming affordable iPhone would allegedly mix features from past three flagships

Robot vacuum from prominent brand has cameras and speakers hacked, according to report
Technology19 hours ago

Robot vacuum from prominent brand has cameras and speakers hacked, according to report

Arsenal reacts to the Brazilian team's "in recent days" bid for Gabriel Jesus
Sports19 hours ago

Arsenal reacts to the Brazilian team’s “in recent days” bid for Gabriel Jesus

Tyson Fury compared to Vladimir Putin following foul-mouthed outburst before of Oleksandr Usyk's rematch
Sports20 hours ago

Tyson Fury compared to Vladimir Putin following foul-mouthed outburst before of Oleksandr Usyk’s rematch

Rapper Phyno denies the Olamide similarity, claims they are brothers
Entertainment20 hours ago

Rapper Phyno denies the Olamide similarity, claims they are brothers

‘Thousands’ of fake Oasis tickets appear before North America tour sale starts
Entertainment20 hours ago

‘Thousands’ of fake Oasis tickets appear before North America tour sale starts

Why Billie Eilish fans meowing at her concert?
Entertainment20 hours ago

Why Billie Eilish fans meowing at her concert?

Pastor Enoch Adeboye apologizes for tithing remarks
News21 hours ago

Pastor Enoch Adeboye apologizes for tithing remarks

Tinubu’s aide: CFR honours not to undermine Reps
News21 hours ago

Tinubu’s aide: CFR honours not to undermine Reps

Ogun State commissioner salutes teachers’ resilience and courage
News21 hours ago

Ogun State threatens to shut private schools not complying with education policy

Oura Ring 4 promises 'most accurate' health monitoring
Technology2 days ago

Oura Ring 4 promises ‘most accurate’ health monitoring

A significant change to video calls is imminent — WhatsApp
Technology2 days ago

A significant change to video calls is imminent — WhatsApp

Ray Parlour responds to Frank Lampard’s claim about William Saliba and Gabriel Magalhaes
Sports2 days ago

Ray Parlour responds to Frank Lampard’s claim about William Saliba and Gabriel Magalhaes

Sean Dyche makes Jarrad Branthwaite claim amid Manchester United and Liverpool interest
Sports2 days ago

Sean Dyche makes Jarrad Branthwaite claim amid Manchester United and Liverpool interest

ICPC recovered N13bn looted funds in Sept – Musa Aliyu
News3 days ago

ICPC recovered N13bn looted funds in Sept – Musa Aliyu

FG stops VAT on diesel, cooking gas
News3 days ago

FG stops VAT on diesel, cooking gas

Naira notes Emefiele released was not what Buhari approved — Witness
News3 days ago

Naira notes Emefiele released was not what Buhari approved — Witness

Wizkid previews two new songs as he gears up for the release of 'Morayo'
Entertainment3 days ago

Wizkid previews two new songs as he gears up for the release of ‘Morayo’

Jade Osiberu is under fire for her 2022 post about Peter Obi
Entertainment3 days ago

Jade Osiberu is under fire for her 2022 post about Peter Obi

Karen Igho opens up about marital struggles, “I'm homeless”
Entertainment3 days ago

Karen Igho opens up about marital struggles, “I’m homeless”

Microsoft Office 2024 is available now without a subscription, with new features and design
Technology3 days ago

Microsoft Office 2024 is available now without a subscription, with new features and design

Redmi Note 14 Pro+ is ranked as the latest mid-range phone in the AnTuTu top 10
Technology3 days ago

Redmi Note 14 Pro+ is ranked as the latest mid-range phone in the AnTuTu top 10

If we go on strike, put the blame on FG — ASUU
News3 days ago

If we go on strike, put the blame on FG — ASUU

Edo Assembly recalls two members after five months suspension
News3 days ago

Edo Assembly recalls two members after five months suspension

Tinubu departs for the UK for a two-week annual leave
News3 days ago

Tinubu departs for the UK for a two-week annual leave

Manchester United players want Ruud van Nistelrooy to take charge if Erik ten Hag gets sacked
Sports3 days ago

Manchester United players want Ruud van Nistelrooy to take charge if Erik ten Hag gets sacked

Mikel Merino describes the strange injury that kept him from making his Arsenal debut
Sports3 days ago

Mikel Merino describes the strange injury that kept him from making his Arsenal debut

Wizkid takes another swipe at Davido in fiery exchange, ‘No talent’
Entertainment3 days ago

Wizkid takes another swipe at Davido in fiery exchange, ‘No talent’

3-time Oscar winner Sir Daniel Day-Lewis unretires from acting to appear in debut film from son
Entertainment4 days ago

3-time Oscar winner Sir Daniel Day-Lewis unretires from acting to appear in debut film from son

OnePlus 13 model number, charging specs register in new leak
Technology7 days ago

OnePlus 13 model number, charging specs register in new leak

Kylian Mbappe celebrates after scoring a goal for PSG against Juventus in the Champions League
ANE Football Analytical6 days ago

What About PSG, Ligue 1 after Mbappe’s Transfer to Real Madrid

Mbappe and Kylian Mbappe
ANE Football Analytical6 days ago

France Brothers: Dembele Tricked into Joining PSG, Deserted by Mbappe

China open to more loans, investments in Nigeria — FG
News5 days ago

China open to more loans, investments in Nigeria — FG

Warning against female genital mutilation — Kwara agency
News6 days ago

Warning against female genital mutilation — Kwara agency

Why Anthony Joshua was "suspended" after losing to Daniel Dubois by knockout
Sports5 days ago

Why Anthony Joshua was “suspended” after losing to Daniel Dubois by knockout

Cole Palmer hailed as the ‘best player in the Premier League’
Sports6 days ago

Cole Palmer hailed as the ‘best player in the Premier League’

Phyno featuring British rap artist Arrdee on his latest single, "Time of my Life"
Entertainment5 days ago

Phyno featuring British rap artist Arrdee on his latest single, “Time of my Life”

Fubara’s kinsmen apologise to Wike — We are sorry
News7 days ago

Fubara’s kinsmen apologise to Wike — We are sorry

Cole Palmer hailed as the ‘best player in the Premier League’
Sports7 days ago

Enzo Maresca reveals what he told Cole Palmer following four-goal Chelsea haul

Pedri blames referee for Barcelona’s first league defeat
Sports6 days ago

Pedri blames referee for Barcelona’s first league defeat

Oyo High Court summons Kemi Alao-Akala over late ex- gov’s estate
News7 days ago

Oyo High Court summons Kemi Alao-Akala over late ex- gov’s estate

Kobbie Mainoo and Alejandro Garnacho have ‘Manchester United DNA’ — Patrice Evra
Sports4 days ago

Kobbie Mainoo and Alejandro Garnacho have ‘Manchester United DNA’ — Patrice Evra

Netflix has recently introduced a forgotten BBC masterpiece
Entertainment6 days ago

Netflix has recently introduced a forgotten BBC masterpiece

If we go on strike, put the blame on FG — ASUU
News5 days ago

FG raises teams in order to avert the ASUU strike

Shaibu disputes a plan to storm the Edo government house
News5 days ago

Shaibu disputes a plan to storm the Edo government house

Nigeria@64: We must reform or collapse — President Tinubu
News7 days ago

Nigeria must remain giant of Africa — Tinubu tasks Armed Forces

Manchester United make decision on Erik ten Hag future after Tottenham humiliation
Sports6 days ago

Manchester United youngsters to step up amid transfer ‘restrictions’ — Erik ten Hag

X Factor stars G4 continue their 20th-anniversary tour after devastating death of bandmate
Entertainment6 days ago

X Factor stars G4 continue their 20th-anniversary tour after devastating death of bandmate

Bobrisky: Reps question NCoS and EFCC officials over alleged bribery
Entertainment4 days ago

Bobrisky: Reps question NCoS and EFCC officials over alleged bribery

Country music legend Kris Kristofferson dies aged 88
Entertainment5 days ago

Country music legend Kris Kristofferson dies aged 88

Actors you totally forgot appeared in James Bond films
Entertainment6 days ago

Actors you totally forgot appeared in James Bond films

Edo community protests Obaseki’s choice of traditional ruler
News6 days ago

Edo community protests Obaseki’s choice of traditional ruler

#FearlessOctober1 protest: It will hold at Eagle Square — Organisers tell police
News6 days ago

#FearlessOctober1 protest: It will hold at Eagle Square — Organisers tell police

Nigeria@64: We must reform or collapse — President Tinubu
News4 days ago

Nigeria@64: We must reform or collapse — President Tinubu

Pep Guardiola provides Erling Haaland injury update after Manchester City draws
Sports7 days ago

Pep Guardiola provides Erling Haaland injury update after Manchester City draws

#October1protest: Sowore joins protesters in Lagos
News4 days ago

#October1protest: Sowore joins protesters in Lagos

Legion Y700: Lenovo launches new gaming tablet with a competitive starting price
Technology6 days ago

Legion Y700: Lenovo launches new gaming tablet with a competitive starting price

Chris Martin reveals the precise day Coldplay will officially retire
Entertainment5 days ago

Chris Martin reveals the precise day Coldplay will officially retire

Smart window generates electricity from raindrops, without solar cells
Technology7 days ago

Smart window generates electricity from raindrops, without solar cells

Manchester United make decision on Erik ten Hag future after Tottenham humiliation
Sports5 days ago

Manchester United make decision on Erik ten Hag future after Tottenham humiliation

Puff Diddy taken off suicide watch in jail, receives visit from family
Entertainment4 days ago

Puff Diddy taken off suicide watch in jail, receives visit from family

Nigeria@64: Revisiting prominent political-musical intersections
Entertainment4 days ago

Nigeria@64: Revisiting prominent political-musical intersections

Declan Rice addresses allegations that Arsenal is “cheating” in Premier League matches
Sports5 days ago

Declan Rice addresses allegations that Arsenal is “cheating” in Premier League matches

Expert advises companies to use AI for more intelligent operations
Technology5 days ago

Expert advises companies to use AI for more intelligent operations

IBM, UNDP unveil AI solutions for clean energy promotion
Technology5 days ago

IBM, UNDP unveil AI solutions for clean energy promotion

Lenovo Chromebook Duet 11 launches with a refreshed design,
Technology4 days ago

Lenovo Chromebook Duet 11 launches with a refreshed design

Giant 'Energy Dome' carbon-dioxide bubble in the US could power 18,000 homes for 10 hours
Technology6 days ago

Giant ‘Energy Dome’ carbon-dioxide bubble in the US could power 18,000 homes for 10 hours

Phyno shares details about next album
Entertainment4 days ago

Phyno shares details about next album

Why you can’t watch Adele and Nirvana videos on YouTube
Entertainment4 days ago

Why you can’t watch Adele and Nirvana videos on YouTube

ANE Billboard Hots