URL analysis service leaked links to sensitive web pages: report

A URL analysis service included in products from major security vendors has leaked personal and sensitive information from links to corporate web pages that could be gold for threat actors.

This revelation comes from a report by Positive Security researchers.

Part of the issue, which was quietly resolved in July, involved urlscan.io, which is used by a number of service-related firewall and gateway products to scan and scan URLs in emails and websites. . Part of the problem is also poorly crafted URLs that contain sensitive information.

But poorly configured security orchestration, automation, and response (SOAR) tools in applications that create databases of URLs also play a role. If left open to the internet and found by the wrong person, these databases can be exploited for their content.

These include links to password reset pages, account creation pages, API keys, DocuSign signature request pages, Sharepoint invitations, WebEx meeting registration pages, invoices PayPal and invitations to team meetings.

“Overall, the urlscan.io service contains a wealth of sensitive information of all kinds, which can be used by hackers, spammers or cybercriminals, for example to take control of accounts, steal identity or conduct credible phishing campaigns,” the report states.

According to a report, urlscan.io lists 26 commercial security solutions from vendors such as Palo Alto, Splunk, Rapid7, FireEye, and ArcSight that have integrated the service through its API. Others, like GitHub, use the urlscan.io API internally.

“If any of these API tools/users accidentally perform public URL scans, it could lead to systematic data leakage,” the report said. “As these advanced security tools are mostly installed in large enterprises and government organizations, the information disclosed could be particularly sensitive.”

In addition to commercial products, the report says that the integration page also lists 22 open source projects, some of which are information gathering tools, and some of which are simple library implementations to facilitate querying the APIs.

The scans performed by urlscan.io can include a lot of information, the report says, including:

  • the submitted URL (with all GET parameters);
  • the effective URL in case of redirection;
  • all HTTP requests that were made while scraping/parsing the URL;
  • information on the IP addresses and domains communicated;
  • a screenshot of the page taken at the time of the scan;
  • the site’s full HTML response.

According to the report, organizations are inadvertently creating vulnerable databases of scanned URLs through the security orchestration, automation, and response (SOAR) capabilities of the security platforms they use. SOAR allows organizations to write their own playbooks to connect different data sources with security tools and services. To facilitate development, the platforms offer integrations with several third-party services such as urlscan.io. With the urlscan.io package installed, a playbook can extract URLs from incoming emails and submit them to urlscan.io with an automated command.

However, under certain conditions, such as an error in a playbook, misconfiguration of the urlscan.io integration or account visibility settings, or if the integration itself has a bug that does not respect the visibility chosen by user, a scan may be wrong. submitted as public.

After being warned, urlscan.io released a new version in July, with additional deletion rules to periodically delete scan results that match certain search patterns. It highlights the default visibility setting in its UI and adds an option to set maximum team-wide visibility.

He also published a blog post titled “Scan Visibility Best Practices” which explains the scan visibility settings, encourages users to frequently review their submissions, and details urlscan’s efforts to prevent such leaks.

Web services should ensure that they promptly expire password reset and similar links and do not disclose unnecessary information to unauthenticated users through links that could become public, the report said. On an unsubscribe page, remove the user’s email address and request additional authentication/information before posting any personal information. For example, many package tracking websites now ask for a postal code before displaying the full address. When implementing API authentication, the report adds, do not accept API keys via GET parameters; instead require the use of a separate HTTP header.

The report states that IT administrators can also search urlscan.io and other services for any data leaks regarding their own web service or organization, request deletions/exclusions, and if necessary disable and rotate leaked API keys. users.

urlscan.io users/security teams who integrate the service should review their ordering, integration and account visibility settings, add the report, keep their integrations up to date, review regularly their submitted scansand check the urlscan.io blog post for more information.

Comments are closed.