Code Beautifiers Leak Bank, Government, and Tech Credentials
▼ Summary
– Thousands of credentials and sensitive data from organizations in high-risk sectors were exposed through publicly accessible JSON snippets on JSONFormatter and CodeBeautify online tools.
– Researchers discovered over 80,000 user pastes totaling more than 5GB of data via the unprotected Recent Links feature, which uses predictable URLs easily scraped by crawlers.
– The exposed data included Active Directory credentials, private keys, API tokens, PII, and sensitive details from government, financial, and cybersecurity entities.
– A honeypot experiment revealed that threat actors accessed fake AWS keys 24 hours after the links expired, showing active scanning for sensitive information on these platforms.
– Despite notifications to affected organizations, the Recent Links feature remains freely accessible, allowing continued data exposure and potential exploitation by attackers.
A significant security lapse involving popular online code beautification tools has led to the exposure of thousands of sensitive credentials from major banks, government bodies, and technology firms. Researchers uncovered that publicly accessible JSON snippets submitted to JSONFormatter and CodeBeautify contained authentication keys, configuration files, and personal data, all available without any protective barriers.
The investigation, conducted by external attack surface specialists, revealed that a feature known as “Recent Links” on both platforms allowed anyone to view user-submitted code pastes. When individuals used the ‘save’ function to temporarily store JSON data, the services generated a unique, public web address for each entry. These links were then listed on an openly accessible page with a predictable URL structure, making it simple for automated scripts to harvest vast quantities of data.
Over five years of data from JSONFormatter and one year from CodeBeautify were compiled, amounting to more than 80,000 individual pastes and over 5GB of information. The exposed data included highly sensitive materials such as Active Directory credentials, database and cloud access keys, private encryption keys, and API tokens. Additionally, code repository tokens, CI/CD pipeline secrets, and payment gateway keys were found among the leaks. A substantial volume of personally identifiable information, including know-your-customer documentation, was also publicly available.
Among the compromised entities were organizations from critical sectors. One international stock exchange had its AWS credential set for a Splunk SOAR system exposed. A managed security service provider inadvertently leaked not only its own Active Directory credentials but also the email and identity-based login details for a prominent U.S. bank, described as its most important client. A cybersecurity firm’s submission included encrypted credentials for a highly sensitive configuration file, SSL certificate private key passwords, and internal hostnames and IP addresses.
Government-related pastes contained extensive PowerShell scripts used for system configuration. While these scripts may not have held direct secrets, they provided attackers with valuable intelligence about internal endpoints, IIS configurations, and specific registry keys used for system hardening. A technology company specializing in Data Lake-as-a-Service products exposed a cloud infrastructure configuration file complete with domain names, email addresses, and credentials for services like Docker Hub and Grafana.
To gauge whether malicious actors were already exploiting this data, researchers set up a honeypot using fake AWS access keys planted within JSON entries on both platforms. These entries were set to automatically expire after 24 hours. Surprisingly, the decoy credentials received access attempts a full 48 hours after the initial upload, meaning someone tried to use them 24 hours after the links had theoretically become invalid and the data was removed.
Despite notifications sent to numerous affected organizations, many did not respond or take corrective action. The “Recent Links” sections on both JSONFormatter and CodeBeautify remain freely accessible at this time, providing a continuous source of potentially valuable information for threat actors scanning for exposed credentials.
(Source: Bleeping Computer)
