- WatchTowr discovered that JSONFormatter and CodeBeautify exposed sensitive data via unprotected “Recent Links” features
- Researchers mined years of raw data and discovered credentials, private keys, API tokens, and PII from critical industries.
- Criminals are already investigating the flaw, highlighting the risks of uploading sensitive code to public formatting sites.
Some major code formatting sites are exposing sensitive and identifiable information that could put countless organizations, including government and critical infrastructure organizations, at risk, experts have warned.
Cybersecurity researchers WatchTowr analyzed JSONFormatter and CodeBeautify, services where users can submit code or data (most commonly JSON) to be formatted, validated, and “beautified” to make it easier to read and debug.
Experts say these two sites have a feature called Recent Links, which automatically lists the latest files, or URLs, that were formatted or analyzed on the platform. This feature is not protected in any way and follows a predictable URL format that can be exploited by crawlers.
A warning to users
Given lax security and a structured URL format, WatchTowr researchers managed to extract five years of raw data from JSONFormatter and a full year of data from CodeBeautify.
In the data, they found all kinds of sensitive information: Active Directory credentials, database and cloud credentials, private keys, code repository tokens, CI/CD secrets, payment gateway keys, API tokens, SSH session recordings, PII and KYC information, and more.
Companies that voluntarily and unknowingly share this information work in government, critical infrastructure, finance, aerospace, healthcare, cybersecurity, telecommunications, and other industries.
WatchTowr also said that even without sensitive data, the information in the code is valuable, as it often contains details about internal endpoints, IIS configuration values and properties, and hardening configurations with corresponding registry keys. This information can help malicious actors create targeted intrusions, bypass security controls, or exploit misconfigurations.
The researchers also said that some criminals are already abusing this vulnerability. They added fake AWS keys to the platforms and set them to “expire” in 24 hours, but someone tried to use them 48 hours later.
“More interestingly, they were tested 48 hours after our initial upload and save (for those with math problems, this is 24 hours after the link expired and the ‘saved’ content was deleted),” watchTowr concluded, urging users to be careful about what they are uploading.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
