Experts Find Urlscan Security Scanner Inadvertently Leaks Sensitive URLs and Data

2022-11-07 10:49

Security researchers are warning of "a trove of sensitive information" leaking through urlscan.io, a website scanner for suspicious and malicious URLs.

"Sensitive URLs to shared documents, password reset pages, team invites, payment invoices and more are publicly listed and searchable," Positive Security co-founder, Fabian Bräunlein, said in a report published on November 2, 2022.

Urlscan.io, which has been described as a sandbox for the web, is integrated into several security solutions via its API. "With the type of integration of this API, and the amount of data in the database, there is a wide variety of sensitive data that can be searched for and retrieved by an anonymous user," Bräunlein noted.

Positive Security further added that it reached out to a number of those leaked email addresses, receiving one response from an unnamed organization that traced the leak of a DocuSign work contract link to a misconfiguration of its Security Orchestration, Automation, and Response solution, which was being integrated with urlscan.io.

On top of that, the analysis has also found that misconfigured security tools are submitting any link received via mail as a public scan to urlscan.io.

Urlscan.io, following responsible disclosure from Positive Security in July 2022, has urged users to "Understand the different scan visibilities, review your own scans for non-public information, review your automated submission workflows, [and] enforce a maximum scan visibility for your account."

News URL

https://thehackernews.com/2022/11/experts-find-urlscan-security-scanner.html

#leak #security #URL