New research finds that organizations across a variety of sensitive sectors, including governments, telecommunications and critical infrastructure, are pasting passwords and credentials into online tools like JSONformatter and CodeBeautify that are used to format and verify code.
Cybersecurity company Watchtower Labs said it captured a dataset of more than 80,000 files on these sites, including thousands of usernames, passwords, repository authentication keys, Active Directory credentials, database credentials, FTP credentials, cloud environment keys, LDAP configuration information, helpdesk API keys, meeting room API keys, SSH session recordings, and all kinds of personal information.
It includes five years of historical JSONFormatter content and one year of historical CodeBeautify content, totaling over 5GB worth of rich, annotated JSON data.
Organizations affected by the leak include critical national infrastructure, government, finance, insurance, banking, technology, retail, aerospace, telecommunications, healthcare, education, travel and, ironically, cyber security sectors.
“These tools are extremely popular, often appearing at the top of search results for terms like ‘JSON beautify’ and ‘best place to paste the secret’ (possibly unauthenticated) — and are used by a wide variety of organizations, organizations, developers, and administrators in both enterprise environments and personal projects,” security researcher Jake Knott said in a report shared with The Hacker News.
Both tools also offer the ability to save a formatted JSON structure or code, turning it into a semi-permanent, shareable link with others – effectively allowing anyone with access to the URL to access the data.
As it happens, the sites not only provide a handy Recent Links page to list all the recently saved links, but also follow a predictable URL format for shareable links, making it easy for a bad actor to retrieve all the URLs using a simple crawler –
- https://jsonformatter.org/{id-here}
- https://jsonformatter.org/{formatter-type}/{id-here}
- https://codebeautify.org/{formatter-type}/{id-here}
Some examples of leaked information include Jenkins Secrets, a cybersecurity company exposing encrypted credentials for sensitive configuration files, Know Your Customer (KYC) information associated with a bank, AWS credentials of a major financial exchange associated with Splunk, and Active Directory credentials for a bank.
To make matters worse, the company said it uploaded fake AWS access keys to one of these tools, and 48 hours after saving it, it discovered bad actors were attempting to misuse them. This indicates that valuable information exposed through these sources is being scoured and tested by other parties, posing serious risks.
“Mostly because someone is already exploiting it, and it’s all really very stupid,” Knott said. “We don’t need more AI-powered agent agent platforms; we need less low-key organizations sticking credentials into random websites.”
When checked by The Hacker News, both JSONFormatter and CodeBeautify have temporarily disabled the save functionality, claiming they are “working to improve it” and “implementing enhanced NSFW (not safe for work) content prevention measures.”
watchTowr said the save functionality was disabled by these sites, possibly in response to research. “We suspect this change occurred in response to communications from several affected organizations in September to which we were alerted,” it said.
<a href=