I have had these concerns with public tools like VirusTotal JoesSandbox, Hybrid analysis and the like and whenever I utilize them I always make a point of not submitting something that is sensitive to the org I work for. Most of it revolves around domains/URLs I want checked as apart of my phishing "toolkit".

But wow! I did not realize just how much data they had access to and the types of URLs people would want scanned.

That being said, good on urlscan for making changes, reaching out to customers and setting up a best practice guide in response to these concerns.

Sounds similar to Virustotal, where customers can get access to uploaded files, so if you use it to scan documents for malware, you might end up leaking them.

There are some times where cloud based solutions aren't the best option, and it seems like this may be one of them

URLScan has a private submission mode.

Not sure how much I would trust that, given how they chose to implement Apple's request to exclude their domains.

"However, when continuously monitoring the above result page, sometimes some fresh additional entries can be spotted, which disappear again within around 10 minutes.

We later found out that Apple has in the meantime requested an exclusion of their domains from the scan results, which is implemented via periodically deleting all scan results matching certain rules."

This seems like quite a big deal, and I'm quite surprised I'm not hearing more about this. These URLS are basically a free pointer into sensitive systems at their most vulnerable state, aren't they? This technique seems to bypass every other security control and just jump, straight to account hijack.

Why would the default behavior be to share URLs with all parameters publicly? Am I missing or misunderstanding something here, because this sounds insane? The security model of basically every online service depends on the absolute secrecy of full URLs in emails, right? Email is treated like root.

We're (Cloudflare) working on expanding our URL scanning tool, currently located within the Security Center "Investigate" tab.

Any feature requests or things you'd like to see that Cloudflare could do differently?

One thing that legal entities for large organizations are looking for is attestation. I worked for a SOAR company and we implemented a few play books for companies that both pulled data from URLscan as well as enriched it with other data and then presented to the legal department in a packaged format right to their inbox/Slack/other so they didn't have to go somewhere and download it. I'm not sure it's the feature set you're looking for but I feel as though attestation data is generic enough that it's useful in the SOC as well.

The use case for this was take down requests of lookalike / copycat domains. Some of these, we found, were being used (or attempted to be used) in more advanced phishing campaigns.