[bo1024]

There's probably details I'm missing, but I think the fundamental issue is that "private" messages between people are presumed private, but actually the platforms we use to send messages do read those messages and access links in them. (I mean messages in a very broad sense, including emails, DMs, pasted links in docs, etc.)

[internetter]

URL scanners are not scanning links contained within platforms that require access control. They haven't guessed your password, and to my knowledge no communications platform is feeding all links behind authentication into one of these public URL scanning databases. As the article acknowledged in the beginning, these links are either exposed as the result of deliberate user action, or misconfigured extensions (that, I might add, are suffering from this exact same misconception).

If the actual websites are configured to not use the URL as the authentication state, all this would be avoided

[tobyjsullivan]

The suggestion (in both the article and the parent) is that the platforms themselves are submitting URLs. For example, if I send a link in Discord[0] DM, it might show the recipient a message like “warning: this link is malicious”. How does it know that? It submitted the url to one of these services without your explicit consent.

[0] Discord is a hypothetical example. I don’t know if they have this feature. But an increasing number of platforms do.

[internetter]

Where in the article does it suggest this? The two bullet points at the very top of TFA is what I cited to discredit this notion, I read it again and still haven't found anything suggesting the communication platforms are submitting this themselves.

[bombcar]

Falcon Sandbox is explicitly mentioned - which is a middleware that can be installed on various communication platforms (usually enterprise): https://www.crowdstrike.com/products/threat-intelligence/fal...

Microsoft has "safe links": https://learn.microsoft.com/en-us/microsoft-365/security/off... - Chrome has its own thing, but there are also tons of additional hand-rolled similar features.

My main annoyance is when they kill a one-time use URL.

[anonymousDan]

Do you know if safe links is guilty of the issue in the OP?

[bombcar]

I suspect not because Microsoft is using their own internal system.

However, it likely exposes the content internally to Microsoft.

They do 100% break Salesforce password reset links, which is a major PITA.

[tobyjsullivan]

I thought I read it in the article but I may have unconsciously extrapolated from and/or misread this part:

“I came across this wonderful analysis by Positive Security[0] who focused on urlscan.io and used canary tokens to detect potential automated sources (security tools scanning emails for potentially malicious [links])”

I don’t see any mention of messaging platforms generally. It only mentions email and does not suggest who might be operating the tooling (vendor or end users). So I seem to have miscredited that idea.

[0] https://positive.security/blog/urlscan-data-leaks

[nightpool]

The article says "Misconfigured scanners". Many, many enterprise communication tools have such a scanner, and if your IT team is using the free plan of whatever url scan tool they signed up for, it's a good bet that these links may end up being public.