- WatchTowr discovered that JSONFormatter and CodeBeautify exposed sensitive data via unprotected “Recent Links” features
- Researchers mined years of raw data, uncovering credentials, private keys, API tokens, and personal information from critical industries.
- Criminals are already investigating the flaw, highlighting the risks of uploading sensitive code to public formatting sites.
Some of the top code formatting sites expose sensitive and identifiable information that could put countless organizations, including those in government and critical infrastructure, at risk, experts have warned.
Cybersecurity researchers WatchTowr analyzed JSONFormatter and CodeBeautify, services where users can submit code or data (most commonly JSON), to format, validate, and “beautify” for easier reading and debugging.
Experts say both sites have a feature called Recent Links, which automatically lists the latest files, or URLs, formatted or crawled on the platform. This feature is not protected in any way and follows a predictable URL format that can be exploited by web crawlers.
A warning to users
Given lax security and a structured URL format, WatchTowr researchers managed to extract five years of raw JSONFormatter data and a full year of CodeBeautify data.
In the data, they found all sorts of sensitive information: Active Directory credentials, database and cloud credentials, private keys, code repository tokens, CI/CD secrets, payment gateway keys, API tokens, SSH session recordings, PII and KYC information, and more.
Companies that willingly and unknowingly share this information work in government, critical infrastructure, finance, aerospace, healthcare, cybersecurity, telecommunications, and other industries.
WatchTowr also said that even without sensitive data, the information contained in the code is valuable, as it often contains details about internal endpoints, IIS configuration values and properties, as well as hardening configurations with corresponding registry keys. This information can help malicious actors create targeted intrusions, bypass security controls, or exploit configuration errors.
The researchers also said that some criminals are already exploiting this vulnerability. They added fake AWS keys to the platforms and set them to “expire” in 24 hours, but someone tried to use them 48 hours later.
“More interestingly, they were tested 48 hours after our initial download and save (for those who are mathematically challenged, that’s 24 hours after the link expired and the ‘saved’ content was deleted),” watchTowr concluded, urging users to be careful about what they download.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
