Security researchers have uncovered a significant security lapse involving popular code formatting and utility websites. Developers using these platforms inadvertently left behind large caches of sensitive credentials, authentication tokens, and configuration data, which were accessible to the public. This exposure highlights the risks of data leakage through third-party tools that are typically relied upon for quick coding assistance.

Exposure of Sensitive Data via Shareable Links

Both JSON Formatter and Code Beautify sites offer features allowing users to save and share generated code snippets through shareable URLs. While convenient, these URLs were found to be insecure. Anyone with access to these links could retrieve the associated data, including confidential credentials and API keys. Further investigation revealed that the sites also exposed data through a ‘Recent Links’ feature, which allowed researchers to query an API endpoint and extract large volumes of stored user submissions.

Using the /service/getDataFromID API, security firm watchTowr was able to access over 80,000 submissions accumulated over five years on JSON Formatter and one year on Code Beautify. The data included over 5GB of enriched JSON content, annotated data, and a trove of secrets such as cloud keys, database credentials, private keys, and PII.

Types of Data and Impacted Organizations

The exposed information ranged from enterprise credentials like Active Directory, database, and cloud environment keys, to sensitive API tokens used for various services. The leak also included SSH session recordings, payment gateway credentials, and private keys, posing a severe security threat to affected organizations.

Alarmingly, the data involved major institutions, including government agencies, critical infrastructure entities, healthcare providers, financial institutions, and even a well-known cybersecurity firm. For example, researchers found Active Directory credentials belonging to a U.S. bank shared through one of these sites, likely intended for private sharing but left accessible publicly.

Attempts by researchers to notify affected organizations about these leaks met with limited success. Only a few responded promptly, while many ignored multiple outreach efforts, leaving sensitive information vulnerable for extended periods. This incident underscores the importance of secure data handling practices and the risks posed by seemingly simple features like shareable links on third-party platforms.

Inspired by

• https://www.infoworld.com/article/4096169/developers-left-large-cache-of-credentials-exposed-on-code-generation-websites.html

Sources

• watchtowr.com
• jsonformatter.org
• codebeautify.org
• csoonline.com