Recent research highlights a concerning issue regarding the security of sensitive information on code formatting platforms. Developers using tools like JSONFormatter and CodeBeautify may unknowingly expose critical data, including API keys and authentication credentials.
Risks of Code Formatting Platforms
Researchers from watchTowr analyzed a collection of over 80,000 pieces of JSON data saved through these formatting tools. They uncovered a staggering number of sensitive credentials, revealing serious vulnerabilities in how users interact with these platforms. As noted by the team, the results were predictable yet alarming: “it went exactly as badly as you might expect.”
Shareable Links Create Vulnerabilities
In their post titled “Stop Putting Your Passwords Into Random Websites,” the researchers pointed out a significant flaw in user awareness. When using these code formatting tools, users have the option to generate a shareable link to their formatted data. However, many do not fully grasp that this feature makes their information publicly accessible. The researchers remarked that despite the clear option to “SAVE” and the warning associated with shareable links, users often fail to understand the implications of this action.
The shared links are easily structured, making it straightforward for anyone to access the formatted data if they know the URL. Additionally, JSONFormatter and CodeBeautify maintain “Recent Links” pages where anyone can view all saved content, including titles, descriptions, and dates. This feature significantly simplifies the process of exploiting sensitive information, as researchers noted that they could mimic legitimate user actions to extract the data.
Types of Sensitive Data Exposed
The watchTowr team discovered various types of sensitive data among the unprotected JSON files. This includes credentials for Docker Hub, JFrog, and Amazon RDS associated with a “Data-lake-as-a-service” provider. They even found a case where an employee from a cybersecurity firm had inadvertently shared encrypted credentials for a highly sensitive configuration file.
Additionally, a financial services provider was found to have uploaded sensitive “know your customer” (KYC) data, while a consultancy leaked critical GitHub tokens and credentials. Perhaps most concerning was an incident involving an MSSP employee, who accidentally included Active Directory credentials in an onboarding email—along with sensitive information for a prominent U.S. bank client.
Even a major financial exchange was implicated, having leaked production AWS credentials linked to a Splunk SOAR automation system. Researchers identified these credentials within a Splunk SOAR playbook that provided access to an S3 bucket containing vital detection logic and automation logs essential for incident response. Given that this exchange is a high-value target for cybercriminals, the gravity of this leak is magnified.
Testing for Data Access
To validate their findings and ensure accountability, the watchTowr team created test credentials that expired after 24 hours. If these credentials were accessed post-expiration, it would indicate unauthorized access by another party. Alarmingly, the researchers found evidence that someone attempted to explore these test credentials soon after they expired, suggesting that they were not alone in their efforts. “Someone else is already scraping these sources for credentials, and actively testing them,” they concluded.
The findings from this research underscore the integral need for awareness and caution among developers using code formatting tools. The ease of generating shareable links, combined with a lack of understanding of the associated risks, can lead to severe compromises of sensitive data. A vigilant approach is critical for safeguarding information in an increasingly connected world.
