Security experts have warned about “a trove of sensitive information” leaking through urlscan.io, a website scanner for suspicious URLs. “Sensitive URLs to shared documents, password reset pages, team invites, payment invoices and more are publicly listed and searchable,” stated Fabian Bräunlein, co-founder of Positive Security. The Berlin-based cybersecurity company claimed to start an investigation as a result of a GitHub warning. In February 2022, as part of an automated process, GitHub warned its users about sharing their usernames and private repository names with urlscan.io for metadata analysis. Urlscan.io, which is often referred to as a web-based sandbox, is integrated into several security solutions through its API. “With the type of integration of this API (for example via a security tool that scans every incoming email and performs a urlscan on all links), and the amount of data in the database, there is a wide variety of sensitive data that can be searched for and retrieved by an anonymous user,” stated Bräunlein. This includes SharePoint, Discord, Zoom, PayPal invoices, Cisco Webex meeting recordings, URLs for package tracking, and information regarding Telegram bots, DocuSign signing requests, shared Google Drive links, Dropbox file transfers, and password reset links. Bräunlein noted that a preliminary search in February turned up “juicy URLs” associated with Apple domains, some of which also included connections to publicly shared iCloud files and calendar invitation responses. According to reports, Apple asked to exclude its domains from URL scanning, so that information matching specific established conditions is frequently removed. Positive Security added that it contacted several of the compromised email addresses and got one response from a company that inadvertently linked the exposure of a DocuSign work contract link to a Security Orchestration, Automation, and Response (SOAR) solution misconfigured and urlscan.io integration.
The investigation also discovered that misconfigured security products submit every link they receive via emails to urlscan.io as a public scan. A malicious actor may use the scan results to launch password reset links for the compromised email addresses, capture the URLs, and use those links to take control of the accounts. The adversary can look up the specific services registered using the target email addresses on data breach reporting websites, like Have I Been Pwned, to increase the effectiveness of such an attack. Urlscan.io has urged users to “understand the different scan visibilities, review your own scans for non-public information, review your automated submission workflows, [and] enforce a maximum scan visibility for your account.” It has also included deletion rules to automatically discard previous and upcoming scans that match the search patterns. “This information could be used by spammers to collect email addresses and other personal information. It could be used by cyber criminals to take over accounts and run believable phishing campaigns, said Bräunlein.