Concerns are mounting in the tech community as two popular online tools designed to help software developers format and structure their code have inadvertently exposed thousands of login credentials and other sensitive information. JSONFormatter and CodeBeautify, both widely used for converting code into a more readable format, have come under scrutiny for leaving critical data unprotected.
Cybersecurity researchers have discovered that data saved through these websites includes information belonging to organizations across high-risk sectors such as government, banking, and healthcare. The unintentional exposure of sensitive information stems from how these tools allow users to save their formatted code. Unfortunately, any links created retain embedded credentials, authentication keys, and other data, making them susceptible to breaches.
According to a report from cybersecurity firm watchTowr, extensive findings revealed over five years’ worth of data from JSONFormatter and one year of data from CodeBeautify. The compromised information includes Active Directory credentials, database and cloud access details, private keys, code repository tokens, and CI/CD system secrets. Additionally, sensitive payment gateway keys and API tokens were found, along with SSH session recordings and a significant trove of personally identifiable information (PII), including know-your-customer (KYC) data.
In a particularly alarming revelation, an AWS credential set belonging to a major international stock exchange was discovered, as well as credentials for a banking institution that were exposed via an onboarding email from a managed security service provider. Even a cybersecurity company’s sensitive information was leaking, underscoring the potential risks these tools pose.
As it stands, the exposed links remain accessible on both JSONFormatter and CodeBeautify, leaving users vulnerable to malicious activities. This situation calls for an urgent review and enhancement of security practices surrounding online code formatting tools, ensuring that developers can protect their sensitive information effectively as the demand for such resources continues to grow.