Security experts have warned about “a trove of sensitive information” leaking through urlscan.io, a website scanner for suspicious URLs. “Sensitive URLs to shared documents, password reset pages, team invites, payment invoices and more are publicly listed and searchable,” stated Fabian Bräunlein, co-founder of Positive Security. The Berlin-based cybersecurity company claimed to start an investigation as a result of a GitHub warning. In February 2022, as part of an automated process, GitHub warned its users about sharing their usernames and private repository names with urlscan.io for metadata analysis. Urlscan.io, which is often referred to as a web-based sandbox, is integrated into several security solutions through its API. “With the type of integration of this API (for example via a security tool that scans every incoming email and performs a urlscan on all links), and the amount of data in the database, there is a wide variety of sensitive data that can be searched for and retrieved by an anonymous user,” stated Bräunlein. This includes SharePoint, Discord, Zoom, PayPal invoices, Cisco Webex meeting recordings, URLs for package tracking, and information regarding Telegram bots, DocuSign signing requests, shared Google Drive links, Dropbox file transfers, and password reset links. Bräunlein noted that a preliminary search in February turned up “juicy URLs” associated with Apple domains, some of which also included connections to publicly shared iCloud files and calendar invitation responses. According to reports, Apple asked to exclude its domains from URL scanning, so that information matching specific established conditions is frequently removed. Positive Security added that it contacted several of the compromised email addresses and got one response from a company that inadvertently linked the exposure of a DocuSign work contract link to a Security Orchestration, Automation, and Response (SOAR) solution misconfigured and urlscan.io integration.