Researchers have warned of enterprise software misconfigurations leading to the leak of sensitive records on urlscan.io.
Urlscan.io is a website scan and analysis engine. The system accepts URL submissions and generates a wealth of data, including domains, IPs, DOM information, and cookies, alongside screenshots.
The developers say the engine’s purpose is to allow “anyone to easily and confidently analyze unknown and potentially malicious websites”. Urlscan.io supports many enterprise customers and open source projects, and an API is provided to integrate these checks into third-party products.
In a blog post published yesterday (November 2), Positive Security said the urlscan API came to its attention due to an email sent by GitHub in February, warning customers that GitHub Pages URLs had been accidentally leaked via a third party during metadata analysis.
“With the type of integration of this API (for example via a security tool that scans every incoming email and performs a urlscan on all links), and the amount of data in the database, there is a wide variety of sensitive data that can be searched for and retrieved by an anonymous user,” the researchers say