Address
Amelia Earhartlaan 2, 9051 Gent
Email
[email protected]
Phone
+32 9 396 35 35
Spinae

Leaking information unknowingly

Sometimes you leak important data
without knowing it.

One of the services Spinae provides for customers is a “Security MRI”. During a Security MRI we search for vulnerabilities in the environment of the customer. We then use these vulnerabilities to move through the customer’s network and we try to end up as a domain administrator.
 
A few months ago, we performed a Security MRI for a customer. They asked us to test the external and internal security of their network. For the external test we start with gathering online information that is publicly available for everyone. We then use this information to our advantage. This practice is also known as OSINT or Open-Source Intelligence.
 
During the OSINT phase we found sensitive data online that was unknowingly leaked. 
Want to find out how this is possible? Read more below.

Security Tools

Many companies already use various tools to assist them in increasing their security level.

Some of these tools are just a collection of multiple other tools. Instead of developing all the security functions from scratch, the market is scanned for tools that already provide these functions. These tools are then included in the software. In the end, why would you spend the money and time developing a tool when someone else already developed that exact same tool?
 
A number of these tools provide an API which can be used for free. Security firms use this API and include the tool in their software. It is up to the security firm to configure this API according to the needs of the software they create.

URLScan.io

A large number of such security tools use urlscan.io. urlscan.io is an online sandbox which scans URL’s for known threats. You receive a link that you find suspicious and you want to test it for threats? Paste the link in urlscan.io. It will open the link for you in a safe way and give you feedback about possible threats it may hold. urlscan.io then stores the scanned links in an online database. You may consult this database to see if others have also received the suspicious link. This database is partly available for everyone and you can access it on their website.

Urlscan.io is able to scan links automatically through the API that they provide. Security tools that use urlscan.io, make use of this API:
  • The security tool might have an automatic mailbox scanner where every link you receive through email is automatically scanned in urlscan.io.
  • The security tool might have a function where it just reads the links you enter in your address bar. These inputs are then automatically scanned in urlscan.io and you might receive live warnings about certain dangerous links you enter.
As stated above, urlscan.io provides an API which can be used to integrate this tool in another security tool. This API however must be configured. Scanning links stores the scanned link in a database. According to the configuration of your API the visibility of the link in the database changes.
There are 3 options to chose from:
  • Public (the scan is visible on the front page and in public search results and info pages)
  • Unlisted (the scan is only visible for Pro users)
  • Private (the scan is only visible to you or others you share the results with. Scans are deleted from their systems after a certain retention period)
You would think that security tools would always opt for the Private option but that is not the case.
Some security tools have (un)knowingly set the visibility option in the API to Public or Unlisted which makes all the links that are scanned in their tool, appear in the database.

Sensitive information

What is the problem with automatically scanned links appearing in an online database you might ask?

Think about it for a second. Do you really want every single link you receive or use to be scanned and stored in an online database which is accessible for everyone?
 
Below are 2 reasons why that is a problem.

1) Token or Session ID

Many URL’s contain tokens and/or session ID’s. Often when you log in on a website, an option with “remember me” is given. If this option is ticked and you log in to the website, they give you a token or a session ID. This is a form of key that gives you access to your account without logging in every time. If you have the session id or token, it means that the server can trust that it is truly you logging in without demanding a password. These tokens or session ID’s expire over time. After they have expired, you have to log in with your credentials to gain a new token or session ID.

These tokens or session ID’s are often part of an URL when accessing a website. A security tool might automatically scan the link containing a token or session ID in urlscan.io. If the security tool has the visibility in the urlscan.io API set to public or unlisted, your link with your token or session ID appears online for everyone to read. Everyone can then use your token or session ID to access your account on that website without requiring a password.

2) Targeted attacks

Another problem encountered is automatically scanning links received through email. If you press “forget password” you receive a password reset e-mail. If the security tool scans the links you receive through e-mail, the reset password link is scanned as well. If the security tool didn’t tell the urlscan.io API to store the links as private, your password reset link might appear in the database for everyone to read. This caused malicious actors to send password reset links to victim mailboxes after they discovered that the security tool used by the victim leaks the reset link to urlscan.io.
 
 
This caused sensitive access information to appear on urlscan.io without users being aware of it. The users might not even know that the security tool they use, might scan all the links. 

Reaction of URLScan.io

urlscan.io says that storing scanned links is default behavior of their tool. If you do not want scanned URL’s to appear in the database, you need to set the visibility option to “private” when configuring the API.
 
 
Urlscan.io will remove the information from the visible database if you ask them to.

Security MRI

To get back to the Security MRI we were performing for the customer.

We used urlscan.io to find a session ID of a URL that belonged to the customer. We found a URL containing a session ID that was still active, opened the link and got immediate access to the account of our customer.

We immediately reported this finding to our customer. The customer contacted urlscan.io and they removed the link containing the session ID.

This shows that it is useful to have your digital footprint vetted by specialists at regular intervals. This enables you to discover and close unconscious leaks.
Would you like more information about Security MRI’s? Then don’t hesitate to contact our security experts. We are happy to help you!
Tags: