- WatchTowr found JSONFormatter and CodeBeautify exposing sensitive data via unprotected “Recent Links” features
- Researchers pulled years of raw data, uncovering credentials, private keys, API tokens, and PII from critical industries
- Criminals are already probing the flaw, highlighting risks of uploading sensitive code to public formatting sites
Some of the top code formatting sites are exposing sensitive and identifiable information which could put countless organizations, including government and critical infrastructure ones, at risk, experts have warned.
Cybersecurity researchers WatchTowr analyzed JSONFormatter and CodeBeautify, services where users can submit code, or data (most commonly JSON), to format, validate, and "beautify" to make it easier to read and debug.
The experts say these two sites have a feature called Recent Links, which automatically lists the last files, or URLs, that were formatted or analyzed on the platform. This feature is not protected in any way, and follows a predictable URL format that can be leveraged with crawlers.
A warning to users
Given the lax security and a structured URL format, WatchTowr’s researchers managed to pull five years of JSONFormatter raw data, and a full year of CodeBeautify data.
In the data, they found all sorts of sensitive information: Active Directory credentials, database and cloud credentials, private keys, code repository tokens, CI/CD secrets, payment gateway keys, API tokens, SSH session recordings, PII and KYC information, and more.
The companies willingly and unknowingly sharing this information work in government, critical infrastructure, finance, aerospace, healthcare, cybersecurity, telecommunication, and other industries.
WatchTowr also said that even without sensitive data, the information in the code is valuable, since it often contains details about internal endpoints, IIS configuration values and properties, and hardening configurations with corresponding registry keys. Such information can help malicious actors craft targeted intrusions, bypass security controls, or exploit misconfigurations.
The researchers also said that some criminals are already abusing this vulnerability. They added fake AWS keys to the platforms, and set them to “expire” in 24 hours, but someone tried to use them 48 hours later.
"More interestingly, they were tested 48 hours after our initial upload and save (for those mathematically challenged, this is 24 hours after the link had expired and the 'saved' content was removed)," watchTowr concluded, urging users to be careful what they’re uploading.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
