Platforms that developers use to format their input unintentionally share “thousands” of secrets, according to new research.
Researchers from watchTowr captured a dataset of more than 80,000 saved pieces of JSON from code formatting tools JSONFormatter and CodeBeautify and parsed the dataset to discover “thousands of secrets” such as Active Directory and AWS credentials, authentication and API keys, and more.
In typical watchTowr snark, the researchers noted, “it went exactly as badly as you might expect.”
Code Formatting Tools Create Shareable Links
In a post titled, “Stop Putting Your Passwords Into Random Websites,” the researchers noted that users of the code formatting tools can create “a semi-permanent, shareable link to whatever you just formatted.”
“[I]t is fairly apparent that the word ‘SAVE’ and being given shareable link was not enough to help most users understand that, indeed yes, the content is saved and the URL is shareable – enabling anyone to recover your data when armed with the URL,” the researchers wrote.
Those links follow common, intuitive formats, they said, and JSONformatter and CodeBeautify also have “Recent Links” pages that allow a random user to browse all saved content and associated links, along with the titles, descriptions, and dates.
“This makes extraction trivial – because we can behave like a real user using legitimate functionality,” the researchers said. “For every provided link on a Recent Links page, we extracted the id value, and requested the contents from the /service/getDataFromID endpoint to transform it into the raw content we’re really after.”
Data Shared by Code Formatting Tools
Among the sensitive data found by the researchers were credentials for Docker Hub, JFrog, Grafana and Amazon RDS for a “Data-lake-as-a-service” provider.
A cybersecurity company “had actually pasted a bunch of encrypted credentials for a very sensitive configuration file … to this random website on the Internet.”
A financial services company had uploaded sensitive “know your customer” (KYC) data.
A consultancy leaked GitHub tokens, hardcoded credentials, and URLs pointed at delivery-related files on GitHub. In the process of uploading an entire configuration file for a tool, “a GitHub token was disclosed that, based on the configuration file, we infer (guess) had permissions to read/write to files and folders on the main consultancy organization’s account.”
An MSSP employee uploaded an onboarding email “complete with Active Directory credentials … they also included a second set: credentials for the MSSP’s largest, most heavily advertised client – a U.S. bank.”
A ”major financial exchange” leaked production AWS credentials “directly associated with Splunk SOAR automation at a major international stock exchange.”
“[W]e realised we’d found a Splunk SOAR playbook export,” the researchers said. “Embedded in that export were credentials to an S3 bucket containing detection logic and automation logs – essentially the brain powering parts of an incident-response pipeline.
“This was not your average organization, but a truly tier-0 target in-scope of the most motivated and determined threat actors, who would absolutely capitalize on being able to leverage any ability to blind or damage security automation. We promptly disclosed them to the affected stock exchange for remediation.”
Researchers Set Up Test Credentials
To make sure that they weren’t the only ones accessing the data, watchTowr set up test credentials with a 24-hour expiry.
“[I]f the credentials were used after the 24-hour expiry, it would indicate that someone had stored the upload from the ‘Recent Links’ page before expiry and used it after it had technically expired,” they said. Sure enough, someone started poking around the test datasets a day after the link had expired and the “saved” content was removed.
watchTowr told The Cyber Express that if a user chooses to “save” their content, it remains accessible for the duration they configured. “And because most users never set a short — or any — expiry period, that data often sat exposed far longer than they realized,” watchTowr said. “Once the configured window passed, the links did technically expire and should no longer have been reachable. But the core issue is that the vast majority of users left content saved indefinitely, creating long-tail exposure that attackers could easily abuse.”
The researchers concluded: “We’re not alone – someone else is already scraping these sources for credentials, and actively testing them.”
