Website scanner “Urlscan.io” sensitive private data leak

Positive Security researchers discovered a website scanner called “Urlscan” which unintentionally discloses URLs and sensitive data due to misconfiguration.

It appears that a third party accidentally leaked the GitHub page URLs, and this incident occurred while a metadata scan was in progress.

“This information could be used by spammers to harvest email addresses and other personal information,” said Bräunlein, co-founder of Positive Security. “It could be used by cybercriminals to take control of accounts and run credible phishing campaigns.”

Urlscan.io

The URLscan.io The service is described as a sandbox for the web and has been called a web scanner. Several security solutions integrate with its API to make their solutions more secure and feature-rich.

The idea behind it is to allow users to easily and confidently identify possible malicious websites using a simple and straightforward tool. A wide range of open source projects and enterprise clients are supported by the engine.

Sensitive data can be extracted

It was discovered that users who have enabled Github Pages as a hosting method for a private repository have leaked the name of the repository. There does not yet appear to have been any official public acknowledgment of this breach.

It is possible that an anonymous user can easily search and retrieve a large amount and variety of sensitive data in the API integration.

Indeed, the API is equipped with several varieties of security tools that run scans on incoming emails and perform Urlscans on each link received.

Several types of information are provided with each scan result returned by the service, including:-

  • Password reset links
  • Unsubscribe links
  • Account creation URL
  • API keys
  • Information about Telegram bots
  • DocuSign signature requests
  • Amazon Gift Delivery Links
  • Shared Google Drive links
  • Dropbox file transfers
  • Invite links to SharePoint
  • Invite links on Discord
  • The Zoom government invites
  • PayPal invoices
  • Paypal Money Claim Requests
  • Links to Cisco Webex Meeting Recordings
  • Parcel tracking links

It has been noted that some API integrations use generic Python requests that use the python-requests/2.XY module. This would lead to scans being erroneously submitted as public if user agents ignored account visibility settings.

Integrations

A list of 26 commercial security solutions have integrated the API of urlscan.io and the security solutions include:-

  • Tines – Advanced security orchestration and automation platform
  • Palo Alto Networks Cortex XSOAR – Cortex XSOAR is the most comprehensive SOAR platform on the market today
  • IBM Security SOAR – IBM Security SOAR platform
  • Cisco SecureX Threat Response – Security that Works Together
  • Splunk SOAR – Security Automation and Orchestration Platform
  • ThreatConnect – Threat Intelligence, Analytics and Orchestration Platform
  • Polarity – Augmented Reality for your desktop – Integration
  • Maltego – A comprehensive tool for graphical link analysis
  • Siemplify – Security Orchestration, Automation and Incident Response
  • Swimlane – Security Orchestration, Automation and Response
  • Anomali – A Threat Intelligence platform that enables enterprises to integrate security products and leverage threat data
  • Exabeam – smarter SIEM, better security
  • Rapid7 Komand – An orchestration layer for security tools
  • Rapid7 InsightConnect – Orchestration and automation to accelerate your teams and tools
  • LogicHub – Intelligent Security Automation
  • FireEye Security Orchestrator – Simplify threat response with orchestration and automation
  • RSA NetWitness – Threat detection and response
  • Cybersponse – Security Orchestration, Automation and Incident Response Solution
  • ArcSight Enterprise Security Manager (ESM) – Powerful and adaptable SIEM that offers real-time threat detection and native SOAR technology.
  • FortiSOAR – FortiSOAR is a security orchestration, automation, and response (SOAR) solution.
  • Metaspike Forensic Email Intelligence – The experts’ choice for investigating email fraud, business email compromise (BEC), malware delivery and CAN-SPAM violations.
  • Nevelex Labs – Security Flow is a new automation and orchestration tool for enterprise security.
  • Sanguine eComscan – eComscan is intelligent video surveillance for online stores
  • D3 SOAR – Security Orchestration and Automated Incident Response with MITER ATT&CK
  • Dtonomy AIR – SOAR with adaptive intelligence
  • Joe Sandbox Cloud – Automated Cloud Malware Deep Scan for Malware
  • Hybrid Scan – Free community malware scanning service that detects and analyzes unknown threats

There are probably many more enterprise customers missing from this list, including GitHub, which uses this API directly in its SaaS offering.

Impact

Several URLs found by the company also contained publicly shared links to iCloud files, and some belonged to Apple domains. This has now been corrected and removed.

In response to Positive Security’s contact request and leaked email addresses, an unknown organization responded to them.

Apparently, the leak was caused by the misconfiguration of Urlscan.io’s SOAR solution which was embedded in an employment contract link in a DocuSign contract.

Positive Security informed Urlscan.io in July of its findings after completing its full assessment. While they did it in cooperation with the developers of Urlscan.io and found a solution to fix the flaw.

As a result, an improved scan visibility interface and team-wide visibility settings were introduced with the release of a new engine version the following month.

Network Security Checklist – Download the free e-book

About Sandra A. Powell

Check Also

How Google’s Latest Anti-Spam Update Could Hurt Your Music Website

For musicians, having an easily accessible website is crucial. However, Google has recently tightened its …