Developers left large cache of credentials exposed on code generation websites

A large trove of sensitive credentials, authentication keys, configuration data, tokens, and API keys has been potentially exposed by developers using two popular code formatting sites, security company watchTowr has discovered.

In an industry that normally worries about criminal activity, watchTowr’s research on the JSON Formatter and Code Beautify code utility sites shines light on a completely different problem: that data can also be leaked by developers who leave it on third-party websites by accident.

Both of these sites offer developers a quick way to perform a wide range of coding functions, including JSON and code formatting, code checking and debugging, and data conversion.

Visitors can use the sites’ helpful ‘Save’ feature that allows them to share the code they have generated, for bookmarking purposes or to share with colleagues. The researchers quickly spotted a security issue with this: anyone able to access or steal the shareable URL would have a path to the original data and its sensitive contents.

However, it turned out that the sites were also exposing the real data through a separate ‘Recent Links’ feature. By querying the sites’ /service/getDataFromID API endpoint, watchTowr was able to extract the content behind each link from 80,000+ downloaded submissions, five years of historical JSON Formatter content, one year of historical Code Beautify content, 5GB+ of enriched data, annotated JSON data, plus thousands of secrets. These included:

Active Directory credentials

Code repository authentication keys

Database credentials

LDAP configuration information

Cloud environment keys

FTP credentials

CI/CD pipeline credentials

Full, and sensitive API requests and responses

Private keys

Card payment gateway credentials

RTSP credentials

Administrative JWT tokens

Helpdesk API keys

Meeting room API keys

SSH session recordings

A wide range of personally identifiable information (PII)

Clearly, the developers using the platforms didn’t realize that when they entered their data, it would be retained and potentially exposed by the sites’ insecure design.

Weak response

The researchers identified many large organizations whose data was exposed in the URLs, including those in government, critical national infrastructure, healthcare, banking, and even a prominent cyber security company.

One curious discovery was data posted by an MSSP: the Active Directory (AD) username and email credentials belonging to one of its clients, a large US bank. Given that the data wasn’t valid JSON, the researchers surmise that the individual who posted the data was simply using the service to generate a URL through which to share credentials.

When the researchers tried to alert the affected companies to their data leaks, they were often ignored. “Of the affected organizations that we tried to contact, only a handful (thank you) responded to us quickly. The majority didn’t bother, despite attempts at communication across multiple channels,” said watchTowr principal researcher Jake Knott, in a blog.

“We don’t need more AI-driven agentic agent platforms; we need fewer critical organizations pasting credentials into random websites,” he said.

To see whether the exposure been noticed by others, watchTowr generated its own test credentials to be scraped from the sites and set them up in a honeypot to see if anyone tried to use them.

“And then, the big ‘surprise’… we got our first hit, indicating somebody was poking around these datasets. We’re not alone – someone else is already scraping these sources for credentials, and actively testing them,” said Knott.

CSO Online contacted both sites for a response to watchTowr’s research, but had not heard back by press time. However, the ‘save’ facility on both sites has now been disabled with the following message:

“Save facility temporarily disabled: We are stopping save facility to prevent NSFW content and working on to make it better. We understand this may be inconvenient, but we’re taking proactive measures to ensure our platform remains safe and appropriate for all users.”

The ‘Recent Links’ feature, however, was still accessible on one of the two, Code Beautify.

Researchers at watchTowr have a knack of spotting unusual exposures. Earlier this month, the company revealed that Fortinet had patched a zero-day vulnerability in its FortiWeb WAF platform two weeks before revealing its existence to customers.