Sometimes you leak important data
without knowing it.
Many companies already use various tools to assist them in increasing their security level.
A large number of such security tools use urlscan.io. urlscan.io is an online sandbox which scans URL’s for known threats. You receive a link that you find suspicious and you want to test it for threats? Paste the link in urlscan.io. It will open the link for you in a safe way and give you feedback about possible threats it may hold. urlscan.io then stores the scanned links in an online database. You may consult this database to see if others have also received the suspicious link. This database is partly available for everyone and you can access it on their website.
- The security tool might have an automatic mailbox scanner where every link you receive through email is automatically scanned in urlscan.io.
- The security tool might have a function where it just reads the links you enter in your address bar. These inputs are then automatically scanned in urlscan.io and you might receive live warnings about certain dangerous links you enter.
- Public (the scan is visible on the front page and in public search results and info pages)
- Unlisted (the scan is only visible for Pro users)
- Private (the scan is only visible to you or others you share the results with. Scans are deleted from their systems after a certain retention period)
What is the problem with automatically scanned links appearing in an online database you might ask?
1) Token or Session ID
Many URL’s contain tokens and/or session ID’s. Often when you log in on a website, an option with “remember me” is given. If this option is ticked and you log in to the website, they give you a token or a session ID. This is a form of key that gives you access to your account without logging in every time. If you have the session id or token, it means that the server can trust that it is truly you logging in without demanding a password. These tokens or session ID’s expire over time. After they have expired, you have to log in with your credentials to gain a new token or session ID.
These tokens or session ID’s are often part of an URL when accessing a website. A security tool might automatically scan the link containing a token or session ID in urlscan.io. If the security tool has the visibility in the urlscan.io API set to public or unlisted, your link with your token or session ID appears online for everyone to read. Everyone can then use your token or session ID to access your account on that website without requiring a password.
2) Targeted attacks
Reaction of URLScan.io
To get back to the Security MRI we were performing for the customer.
We used urlscan.io to find a session ID of a URL that belonged to the customer. We found a URL containing a session ID that was still active, opened the link and got immediate access to the account of our customer.
We immediately reported this finding to our customer. The customer contacted urlscan.io and they removed the link containing the session ID.