Code Formatting Sites Leak User Secrets and Credentials
▼ Summary
– JSONFormatter and CodeBeautify are exposing sensitive user data like credentials and API keys through their public and predictable shareable links.
– Researchers found over 80,000 saved entries containing critical information from various sectors, including government, finance, and healthcare.
– Malicious actors are actively scraping these sites for credentials, as confirmed by canary token misuse within 48 hours.
– Attempts to warn affected organizations were largely unacknowledged, and similar risks likely exist on other code formatting websites.
– Users should avoid pasting sensitive data into online tools, as anything entered can be stored and potentially exposed.
Popular online code formatting platforms like JSONFormatter and CodeBeautify have been found to inadvertently expose highly sensitive user data, including passwords, API keys, and confidential configuration files. Security analysts from watchTowr uncovered that these widely used web services, which help developers tidy up and validate code, are leaking private information through publicly accessible links.
These free tools allow users to format messy code, check its validity, or convert it into different structures. A save function lets individuals store their formatted output and share it with colleagues. According to the site’s own FAQ, any code saved without a user account automatically becomes publicly viewable.
Both websites feature a Recent Links section where anyone can browse through publicly saved outputs. Alarmingly, the researchers discovered that even links intended to remain private could be accessed because the websites use a predictable pattern for generating URLs. This vulnerability enabled watchTowr to systematically locate and collect over 80,000 saved JSON entries.
Within this massive data haul, investigators identified a disturbing array of exposed secrets. The information included Active Directory login details, GitHub access tokens, cloud service environment keys, and private cryptographic keys. Also found were credentials for CI/CD pipelines, various API keys, internal configuration files, recorded SSH sessions, and personally identifiable information.
Perhaps most concerning was the origin of these leaks. The compromised data belonged to organizations operating in highly regulated and critical industries, such as government agencies, financial institutions, healthcare providers, telecommunications firms, retail corporations, aerospace companies, educational bodies, and even cybersecurity firms.
To gauge whether malicious actors were already exploiting this security flaw, the team set up a trap. They inserted several canary tokens, fake credentials designed to alert when accessed, into both JSONFormatter and CodeBeautify. The results were swift and unsettling. Within just 48 hours of saving the data, an unknown party attempted to use one of the decoy AWS keys.
This confirmed that threat actors are actively scraping these sites for valid credentials and testing them for unauthorized access. The researchers decided to disclose their findings publicly after their attempts to privately alert most of the affected organizations went largely unacknowledged.
Although JSONFormatter has since made its Recent Links section inaccessible and temporarily disabled its save feature to prevent inappropriate content, CodeBeautify’s public listing remains active. Security professionals, including researcher Kevin Beaumont, warn that this is likely a widespread issue affecting numerous other online code formatting and beautification services.
The underlying problem highlights a significant operational risk. Convenient web-based tools can pose serious security threats if they store or expose sensitive input data. Security experts stress that organizations, especially those in critical sectors, should avoid pasting any confidential credentials or secrets into random third-party websites, no matter how useful they may seem.
(Source: HelpNet Security)
