undefined | Better HN

0 pointsinternetter2y ago0 comments

URL scanners are not scanning links contained within platforms that require access control. They haven't guessed your password, and to my knowledge no communications platform is feeding all links behind authentication into one of these public URL scanning databases. As the article acknowledged in the beginning, these links are either exposed as the result of deliberate user action, or misconfigured extensions (that, I might add, are suffering from this exact same misconception).

If the actual websites are configured to not use the URL as the authentication state, all this would be avoided

0 comments

tobyjsullivan2y ago

The suggestion (in both the article and the parent) is that the platforms themselves are submitting URLs. For example, if I send a link in Discord[0] DM, it might show the recipient a message like “warning: this link is malicious”. How does it know that? It submitted the url to one of these services without your explicit consent.

[0] Discord is a hypothetical example. I don’t know if they have this feature. But an increasing number of platforms do.

internetterOP2y ago

Where in the article does it suggest this? The two bullet points at the very top of TFA is what I cited to discredit this notion, I read it again and still haven't found anything suggesting the communication platforms are submitting this themselves.

bombcar2y ago

Falcon Sandbox is explicitly mentioned - which is a middleware that can be installed on various communication platforms (usually enterprise): https://www.crowdstrike.com/products/threat-intelligence/fal...

Microsoft has "safe links": https://learn.microsoft.com/en-us/microsoft-365/security/off... - Chrome has its own thing, but there are also tons of additional hand-rolled similar features.

My main annoyance is when they kill a one-time use URL.

2 more replies

tobyjsullivan2y ago

I thought I read it in the article but I may have unconsciously extrapolated from and/or misread this part:

“I came across this wonderful analysis by Positive Security[0] who focused on urlscan.io and used canary tokens to detect potential automated sources (security tools scanning emails for potentially malicious [links])”

I don’t see any mention of messaging platforms generally. It only mentions email and does not suggest who might be operating the tooling (vendor or end users). So I seem to have miscredited that idea.

[0] https://positive.security/blog/urlscan-data-leaks

nightpool2y ago

The article says "Misconfigured scanners". Many, many enterprise communication tools have such a scanner, and if your IT team is using the free plan of whatever url scan tool they signed up for, it's a good bet that these links may end up being public.

j / k navigate · click thread line to collapse

0 pointsinternetter2y ago0 comments

If the actual websites are configured to not use the URL as the authentication state, all this would be avoided

0 comments

tobyjsullivan2y ago

[0] Discord is a hypothetical example. I don’t know if they have this feature. But an increasing number of platforms do.

internetterOP2y ago

bombcar2y ago

Microsoft has "safe links": https://learn.microsoft.com/en-us/microsoft-365/security/off... - Chrome has its own thing, but there are also tons of additional hand-rolled similar features.

My main annoyance is when they kill a one-time use URL.

2 more replies

tobyjsullivan2y ago

I thought I read it in the article but I may have unconsciously extrapolated from and/or misread this part:

[0] https://positive.security/blog/urlscan-data-leaks

nightpool2y ago

j / k navigate · click thread line to collapse