"Experts Find Urlscan Security Scanner Inadvertently Leaks Sensitive URLs and Data"

The website urlscan[.]io, which scans websites for suspicious and malicious URLs, is leaking "a trove of sensitive information," according to security researchers. Positive Security co-founder Fabian Bräunlein stated that sensitive URLs to shared documents, password reset pages, team invites, payment invoices, and more are publicly listed and searchable. The cybersecurity firm noted that it began an investigation following a notification sent by GitHub in February 2022 to an unknown number of users about sharing their usernames and private repository names (i.e., GitHub Pages URLs) to the website for metadata analysis as part of an automated process. Urlscan[.]io, which is considered a web sandbox, is integrated into several security solutions via its Application Programming Interface (API). With the type of integration of this API and the amount of data in the database, an anonymous user can search for and retrieve a wide range of sensitive data. Password reset links, email unsubscribe links, account creation URLs, API keys, Telegram bot information, DocuSign signing requests, shared Google Drive links, Dropbox file transfers, invite links to services like SharePoint, Discord, Zoom, PayPal invoices, Cisco Webex meeting recordings, and even package tracking URLs were included. This article continues to discuss the Urlscan security scanner leaking sensitive URLs and data.

THN reports "Experts Find Urlscan Security Scanner Inadvertently Leaks Sensitive URLs and Data"