Virus Total: The best way to disclose your company secrets

Hey everyone and welcome back to this new blog article.

Today I would like to share an interesting trick and some researches regarding information disclosure via Virus Total.


What is Virus Total ?

Virus Total aggregates many antivirus products and online scan engines to check for viruses that the user’s own antivirus may have missed, or to verify against any false positives.Anti-virus software vendors can receive copies of files that were flagged by other scans but passed by their own engine, to help improve their software and, by extension, VirusTotal’s own capability. Users can also scan suspect URLs and search through the VirusTotal dataset. (Wikipedia).

So the initiative seems great. The company allow users to submit a file or URL to be scanned by dozens of antivirus engine. However this feature present a serious problem: all the submissions are stored and accessible by anyone.

For files it’s not a problem because the users can’t download the file scanned directly from Virus Total. Nevertheless for URL scanned, any users can access to it.

If you hunt on Hackerone, maybe you remember this report submitted by mohammed__fayez. He found that an Hackerone customer submitted a link with a sensitive token on Virus Total. Due to the fact that anyone can see the URL scanned, anyone can see the sensitive token and potentially use it maliciously.


What we can find ?

With this Hackerone report in mind, I decided to use the same method on others companies websites.

Discord:

If you use Discord, you probably know the initiative “Discord Gift” launched during december. Discord have a premium plan and this feature allows you to pay for this premium plan and send it to a contact as a gift. To send it, discord created a specific domain: discord.gift

So let’s check on Virus Total:

Those links allow you to claim a gift that an user payed for. Fortunately, all those codes was already used. On a side note, if you reproduce the method and found a valid code, be a gentleman and don’t use it (An user payed for it !).

Random websites:

In this section, I will describe what I found during my research without disclose the website names to avoid abuse.

Token disclosure:

Most of the time, you will find sensitive tokens disclosed by users:

Reset password token
Share document token

Companies secrets:

Even if token leakage is problematic, this impact only a single user. Sometimes, the companies disclose sensitive informations that shouldn’t be public like business strategy, internal subdomains etc

Business information disclosure via URI scheme

Conclusion

Virus Total is a really great tool to scan your new software: Xx_moneygenerator_xX.exe downloaded from a youtube video. However you should use it carefully to avoid leakage of any sensitive informations.

If you are bug hunter/pentester, I highly recommend you adding Virus Total to your recon process. This website can be a real goldmine !

If you are a company, check regularly on Virus Total to be sure nothing sensitive is disclosed.

I hope you enjoyed this reading !

Yumi