This malware scanning technique can leave you vulnerable to a cyberattack

19 Aug 2019

Image: © nakophotography/

Some companies have unknowingly been leaving confidential files in a vulnerable position on the internet after uploading documents to malware scanning websites.

Documents uploaded to some popular online malware scanning sandboxes are made public once processed by these services, leaving the often sensitive data they contain completely out in the open, according to research from cybersecurity company Cyjax.

Public sandbox services allow anyone to upload a file and generate a report about what happens when the file is opened and about whether it is safe. All of the services Cyjax looked had a public feed and did not require payment in order to download or view the submissions.

Some of the most commonly opened files were invoices and purchase orders; the company collected more than 200 in three days.

“In one instance, we discovered a company that appeared to be submitting all received purchase orders into the sandbox, rendering all of them public. The company in question provides a popular deployment tool for Microsoft Windows administrators and has many high profile clients, including schools and courts,” the report explained.

By examining the invoices, Cyjax was able to determine who was using the software and the contact details of those responsible for purchasing in each respective company. The cybersecurity firm warned that this type of information effectively creates a road map for a threat actor hoping to commit business email compromise (BEC) scams or spear-phishing scams.

Cyjax also noted that CVs and professional certificates were also frequently updated, many of which contained ID photographs, addresses and even copies of passports. All of this information could be easily used to impersonate a person or steal their identity.

The company also discovered medical documents, a military air passenger request, and legal documents such as a search warrant.

“The volume of sensitive documents collected in only three days was staggering,” the researchers concluded. “In a month, a threat actor would have enough data to target multiple industries and steal the identities of multiple victims.”

Eva Short was a journalist at Silicon Republic