A new study has found that organizations in a variety of sensitive sectors, including government, telecommunications, and critical infrastructure, are pasting passwords and credentials into online tools used to format and validate code, such as JSONformatter and CodeBeautify.
Cybersecurity firm watchTowr Labs announced that it has captured a dataset of more than 80,000 files on these sites, revealing thousands of usernames, passwords, repository authentication keys, Active Directory credentials, database credentials, FTP credentials, cloud environment keys, LDAP configuration information, help desk API keys, conference room API keys, SSH session records, and personal information of all kinds.
This includes 5 years of historical JSONFormatter content and 1 year of historical CodeBeautify content, totaling 5GB worth of enriched and annotated JSON data.
Organizations affected by this breach span the critical national infrastructure, government, finance, insurance, banking, technology, retail, aerospace, telecommunications, healthcare, education, travel, and, ironically, cybersecurity sectors.
“These tools are extremely popular, often appearing near the top of search results for things like ‘JSON beautification’ and ‘best place to paste secrets’ (probably unproven), and are used by a variety of organizations, organizations, developers, and administrators in both enterprise environments and personal projects,” security researcher Jake Knott said in a report shared with Hacker News.
Both tools provide the ability to save a formatted JSON structure or code and turn it into a semi-permanent link that can be shared with others. This makes the data accessible to anyone who can access the URL.
Coincidentally, these sites not only provide a convenient (Recent Links) page that lists all recently saved links, but also follow a predictable URL format for shareable links, making it easy for a malicious attacker to retrieve all URLs using a simple crawler.
- https://jsonformatter.org/{id-here}
- https://jsonformatter.org/{formatter-type}/{id-here}
- https://codebeautify.org/{formatter-type}/{id-here}
Examples of compromised information include sensitive information from Jenkins, a cybersecurity firm exposing encrypted credentials in sensitive configuration files, Know Your Customer (KYC) information associated with a bank, AWS credentials for a major financial exchange linked to Splunk, and Active Directory credentials for a bank.
To make matters worse, the company announced that it had discovered a malicious actor who uploaded a fake AWS access key to one of these tools and attempted to exploit it 48 hours after it was stored. This indicates that valuable information published through these sources is being collected and tested by other parties, posing significant risks.
“The main reason is that someone is already exploiting it, which is really, really stupid,” Knott said. “We don’t need more AI-powered agent platforms. There will be fewer important organizations pasting their credentials on random websites.”
Checked by The Hacker News, both JSONFormatter and CodeBeautify have temporarily disabled the save feature, claiming they are “working on improvements” and implementing “enhanced NSFW (Not Safe For Work) content prevention measures.”
watchTowr said the save feature was disabled on these sites, likely in response to the investigation. “We believe this change occurred in September in response to communications from a number of affected organizations that we alerted to,” it added.
