New research has revealed that organizations in sensitive industries, such as governments, telecommunications, and critical infrastructure, are exposing passwords and credentials by pasting them into online code formatting and validation tools such as JSONformatter and CodeBeautify.
Cybersecurity company watchTowr Labs captured a data set of more than 80,000 files from these sites, uncovering thousands of usernames, passwords, repository authentication keys, Active Directory credentials, database credentials, cloud environment keys, LDAP configuration information, and API keys.
Scope of the Data Leak
watchTowr Labs’ analysis revealed that the exposed information spanned five years of historical content from JSONFormatter and one year from CodeBeautify, totaling more than 5GB of rich and annotated JSON data.
The organizations affected by this data leak operate in critical sectors such as:
- National critical infrastructure
- Government
- Finance, insurance and banking
- Technology and telecommunications
- Health and education
- Even cybersecurity companies
The Exhibition Mechanism
The problem is that these online tools, popular for developers and administrators, allow you to save the JSON structure or the formatted code, creating a shareable link. WatchTowr Labs research found that sites not only list recently saved links, but also use a predictable URL format. This makes it easy for a malicious actor to track and extract all saved data using a simple crawler.
Some examples of leaked information include:
- Jenkins secrets.
- Encrypted credentials from a cybersecurity company.
- Know Your Customer (KYC) information from a bank.
- AWS credentials from a major financial exchange tied to Splunk.
- Active Directory credentials from a bank.
Confirmed Exploitation by Malicious Actors
To confirm the risk, watchTowr Labs uploaded fake AWS access keys to one of these tools. In just 48 hours, they detected attempts to abuse these keys by malicious actors. This shows that the valuable information exposed in these sources is being actively tracked and tested by third parties.
Security researcher Jake Knott of watchTowr Labs commented: “This is really, really stupid. We don’t need more AI-powered agent platforms; we need fewer critical organizations gluing credentials to random websites.”
Response from Tool Suppliers
Following the investigation, JSONFormatter and CodeBeautify temporarily disabled the save functionality, stating that they were “working to improve it” and implementing “not safe for work” content prevention measures. watchTowr suspects that this change occurred in September in response to communication with several affected organizations that they alerted.
Conclusions
The investigation highlights a fundamental flaw in organizations’ security hygiene. Relying on unverified online tools to manipulate sensitive data creates a leak point for critical information that attackers are actively exploiting. This incident serves as a crucial reminder of the importance of implementing strict policies on credential management and staff awareness to avoid practices that compromise information security.
References
- watchTowr Labs report on JSONformatter and CodeBeautify (mentioned in the article)
- The Hacker News (news source)