Select Page

Security researchers are warning of “a trove of sensitive information” leaking through urlscan.io, a website scanner for suspicious and malicious URLs.

“Sensitive URLs to shared documents, password reset pages, team invites, payment invoices and more are publicly listed and searchable,” Positive Security co-founder, Fabian Bräunlein, said in a report published on November 2, 2022.

The Berlin-based cybersecurity firm said it started an investigation in the aftermath of a notification sent by GitHub in February 2022 to an unknown number of users about sharing their usernames and private repository names (i.e., GitHub Pages URLs) to urlscan.io for metadata analysis as part of an automated process.

Urlscan.io, which has been described as a sandbox for the web, is integrated into several security solutions via its API.

“With the type of integration of this API (for example via a security tool that scans every incoming email and performs a urlscan on all links), and the amount of data in the database, there is a wide variety of sensitive data that can be searched for and retrieved by an anonymous user,” Bräunlein noted.

This included password reset links, email unsubscribe links, account creation URLs, API keys, information about Telegram bots, DocuSign signing requests, shared Google Drive links, Dropbox file transfers, invite links to services like SharePoint, Discord, and Zoom, PayPal invoices, Cisco Webex meeting recordings, and even URLs for package tracking.

images from Hacker News