Experts Find URLScan Security Scanner Inadvertently Leaks Sensitive URLs and Data

Sensitive URLs to shared documents, password reset pages, team invites, payment invoices and more are publicly listed and searchable on urlscan.io, a security tool used to analyze URLs.

What is urlscan.io?

urlscan.io describes itself as “a sandbox for the web”, where you can submit URLs which are then analyzed and scanned in various ways, mainly to detect malicious websites such as phishing sites.

For every scan result, the service provides a lot of information:

The submitted URL (with all GET parameters)
The effective URL in case of a redirect
Any HTTP requests that were performed while scraping/scanning the URL
Information about the IPs and domains communicated with
A screenshot of the page taken at the time of the scan
The full HTML response of the site

With the type of integration of this API (for example via a security tool that scans every incoming email and performs a urlscan on all links), and the amount of data in the database, there is a wide variety of sensitive data that can be searched for and retrieved by an anonymous user.

Apple is said to have requested an exclusion of its domains from the URL scans such that results matching certain predefined rules are periodically deleted.

Urlscan.io, following responsible disclosure from Positive Security in July 2022, has urged users to “understand the different scan visibilities, review your own scans for non-public information, review your automated submission workflows, [and] enforce a maximum scan visibility for your account.”

It has also added deletion rules to regularly purge delete past and future scans matching the search patterns, stating it has domain and URL pattern blocklists in place to prevent scanning of particular websites.

Positive security researchers have added By actively triggering password resets for the affected email addresses at various web services such as social media sites, other email providers or banks, and then checking for recent scan results for the corresponding domains in the urlscan database, we can exploit this behavior to take over those user’s accounts.