A startling revelation has emerged, shedding light on a critical vulnerability that could impact countless organizations and individuals. Researchers have uncovered a concerning practice where sensitive data, including passwords and API keys, is being exposed through the use of popular online tools like JSONFormatter and CodeBeautify. These tools, widely utilized for code formatting and validation, have inadvertently become repositories for sensitive information, posing significant security risks.
The cybersecurity firm watchTowr Labs conducted an extensive investigation, collecting a vast dataset of over 80,000 files from these platforms. This data revealed a treasure trove of sensitive information, such as usernames, passwords, repository authentication keys, Active Directory credentials, database credentials, FTP credentials, cloud environment keys, LDAP configuration details, helpdesk API keys, meeting room API keys, SSH session recordings, and personal data. The scope of this leak is immense, encompassing historical content from both JSONFormatter and CodeBeautify, totaling over 5GB of enriched, annotated JSON data.
The affected organizations span across critical sectors, including national infrastructure, government, finance, insurance, banking, technology, retail, aerospace, telecommunications, healthcare, education, travel, and even cybersecurity. This diverse range of industries highlights the pervasive nature of the issue.
Security researcher Jake Knott emphasized the popularity of these tools, often ranking highly in search results for terms like 'JSON beautify' and 'best place to paste secrets'. He noted that they are utilized by a wide array of entities, from developers and administrators to enterprises and personal projects. The tools' ability to save formatted JSON or code as shareable links further exacerbates the problem, as anyone with access to the URL can potentially access sensitive data.
The situation is made more alarming by the fact that these sites provide a Recent Links page, making it easier for malicious actors to retrieve and exploit the shared links. The predictable URL format, such as https://jsonformatter.org/{id-here} or https://codebeautify.org/{formatter-type}/{id-here}, simplifies the process of scraping and testing sensitive information.
Leaked information includes Jenkins secrets, encrypted credentials for sensitive configuration files, Know Your Customer (KYC) data associated with banks, AWS credentials linked to major financial exchanges, and Active Directory credentials for financial institutions. The severity of the leak is further compounded by the discovery of fake AWS access keys being tested by bad actors just 48 hours after they were uploaded.
The researcher, Knott, expressed frustration, stating that the issue persists due to the exploitation of the vulnerability. He advocated for a reduction in the number of critical organizations pasting credentials into random websites, rather than the development of more AI-driven platforms.
In response to the research, both JSONFormatter and CodeBeautify temporarily disabled the save functionality, claiming to be implementing enhanced security measures. watchTowr suspects that this change occurred in September, following communication from affected organizations. The firm encourages readers to stay informed by following their updates on Google News, Twitter, and LinkedIn.
