- WatchTowr found that JSONFormatter and CodeBeautify exposed sensitive data via unprotected “Recent Links” features
- Researchers retrieved years of raw data and exposed credentials, private keys, API tokens and PII from critical industries
- Criminals are already investigating the flaw, highlighting the risk of uploading sensitive code to public formatting websites
Some of the top code formatting websites are exposing sensitive and identifiable information that could put countless organizations, including governments and critical infrastructures, at risk, experts have warned.
Cybersecurity researchers WatchTowr analyzed JSONFormatter and CodeBeautify, services where users can submit code or data (most often JSON) to format, validate and “beautify” to make it easier to read and debug.
The experts say that these two sites have a feature called Recent Links which automatically displays the last files or URLs that were formatted or parsed on the platform. This feature is not protected in any way and follows a predictable URL format that can be exploited by crawlers.
A warning to users
Due to lax security and a structured URL format, WatchTowr’s researchers managed to pull five years of raw JSONFormatter data and a full year of CodeBeautify data.
In the data, they found all sorts of sensitive information: Active Directory credentials, database and cloud credentials, private keys, code storage tokens, CI/CD secrets, payment gateway keys, API tokens, SSH session recordings, PII and KYC information, and more.
The companies that willingly and unknowingly share this information work in government, critical infrastructure, finance, aerospace, healthcare, cybersecurity, telecommunications and other industries.
WatchTowr also said that even without sensitive data, the information in the code is valuable, as it often contains details about internal endpoints, IIS configuration values and properties, and hardening configurations with corresponding registry keys. Such information can help malicious actors make targeted intrusions, bypass security controls, or exploit misconfigurations.
The researchers also said that some criminals are already exploiting this vulnerability. They added fake AWS keys to the platforms and set them to “expire” in 24 hours, but someone tried to use them 48 hours later.
“More interestingly, they were tested 48 hours after our initial upload and save (for the mathematically challenged, this is 24 hours after the link had expired and the ‘saved’ content was removed),” watchTowr concluded, urging users to be careful about what they upload.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
