- WatchTowr discovered that JSONFormatter and CodeBeautify exposed sensitive data via unprotected recent link functions
- Researchers have spent years collecting raw data, uncovering credentials, private keys, API tokens, and personal information from critical industries.
- Criminals are already investigating the flaw and highlighting the risks of uploading sensitive code to public formatting pages.
Experts have warned that some major coding websites are leaking sensitive and identifiable information that could compromise countless organizations, including governments and critical infrastructure organizations.
WatchTowr, cybersecurity researcher analyses JSONFormatter and CodeBeautify, services where users can submit code or data (usually JSON) to be formatted, validated, and “beautified” to make reading and debugging easier.
According to experts, both sites have a feature called “Recent Links” that automatically lists the most recently created or crawled files or URLs on the platform. This feature is not secure in any way and follows a predictable URL format that crawlers can take advantage of.
A warning to users
Given weak security and a structured URL format, WatchTowr researchers were able to recover five years of raw data from JSONFormatter and a full year of data from CodeBeautify.
They found all kinds of sensitive information in the data: Active Directory credentials, database and cloud credentials, private keys, repository tokens, CI/CD secrets, payment gateway keys, API tokens, SSH session recordings, PII and KYC information, and more.
Companies that voluntarily or unknowingly share this information operate in government, critical infrastructure, financial, aerospace, healthcare, cybersecurity, telecommunications and other industries.
WatchTowr further stated that the information in the code is valuable even without sensitive data, as it often contains details about internal endpoints, IIS configuration values and properties, as well as configurations reinforced with associated registry keys. This information can help attackers perform targeted intrusions, bypass security controls, or exploit misconfigurations.
The researchers also said that some criminals are already exploiting this vulnerability. They added fake AWS keys to the platforms and let them “expire” within 24 hours, but 48 hours later someone tried to use them.
“Most interestingly, they were tested 48 hours after our initial download and storage (for those with math problems, that’s 24 hours after the link expires and the ‘saved’ content is deleted),” watchTowr concluded, urging users to be careful about what they download.