[napsterbr]

Off-topic, but something seems dangerously off with urlscan.io (a service I had never heard of before).

If I go to urlscan.io and look at the recently scanned sites (which are live-updated), every now and then I can find links with potentially sensitive information.

I found OneDrive and SharePoint links. I was unable to actually access the documents in them (it asked me to login), but I could see their content (or metadata) with UrlScan's "live screenshot" feature.

At one point, it scanned a "reset password" link with the authentication token in the query string (!). I was able to access that link and I would likely be able to reset the password for that specific user. I won't share the underlying website so others don't go ahead looking for it, but it was for a non-US government service.

The impression I have is that some email provider (or perhaps some antivirus software?) is automatically scanning user emails and the links are being shared publicly, alongside a "live screenshot".

I might be missing something, but this is weird.

[chair6]

Nope, not missing something.. it has been a problem for GitHub (https://news.ycombinator.com/item?id=30348980) and others (https://portswigger.net/daily-swig/urlscan-io-api-unwittingl...).

[freitasm]

You are not the only one. This was posted/discussed earlier today: https://news.ycombinator.com/item?id=33435002

[quickthrower2]

Makes me question if URL-as-all-factors is a secure way to authenticate someone/thing. Even with SSL encrypting the path , there is the risk of someone sharing that URL since it is a familiar thing to do to share links.

[NavinF]

With third party cookies going away, URL parameters are the only way to do SSO across domains. Not much you can do about it.

[quickthrower2]

With SAML IIRC the IdP request is GET (but hey that one is fairly public - no credentials have been supplied yet) and the response is POST back to the origin site.