{"id":5945,"date":"2025-11-25T21:40:23","date_gmt":"2025-11-25T21:40:23","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5945"},"modified":"2025-11-25T21:40:23","modified_gmt":"2025-11-25T21:40:23","slug":"developers-left-large-cache-of-credentials-exposed-on-code-generation-websites","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5945","title":{"rendered":"Developers left large cache of credentials exposed on code generation websites"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

A large trove of sensitive credentials, authentication keys, configuration data, tokens, and API keys has been potentially exposed by developers using two popular code formatting sites, security company watchTowr has discovered.<\/p>\n

In an industry that normally worries about criminal activity, watchTowr\u2019s research<\/a> on the JSON Formatter<\/a> and Code Beautify<\/a> code utility sites shines light on a completely different problem: that data can also be leaked by developers who leave it on third-party websites by accident.<\/p>\n

Both of these sites offer developers a quick way to perform a wide range of coding functions, including JSON and code formatting, code checking and debugging, and data conversion.<\/p>\n

Visitors can use the sites\u2019 helpful \u2018Save\u2019 feature that allows them to share the code they have generated, for bookmarking purposes or to share with colleagues. The researchers quickly spotted a security issue with this: anyone able to access or steal the shareable URL would have a path to the original data and its sensitive contents.<\/p>\n

However, it turned out that the sites were also exposing the real data through a separate \u2018Recent Links\u2019 feature. By querying the sites\u2019 \/service\/getDataFromID<\/em> API endpoint, watchTowr was able to extract the content behind each link from 80,000+ downloaded submissions, five years of historical JSON Formatter content, one year of historical Code Beautify content, 5GB+ of enriched data, annotated JSON data, plus thousands of secrets. These included:<\/p>\n

Active Directory credentials<\/p>\n

Code repository authentication keys<\/p>\n

Database credentials<\/p>\n

LDAP configuration information<\/p>\n

Cloud environment keys<\/p>\n

FTP credentials<\/p>\n

CI\/CD pipeline credentials<\/p>\n

Full, and sensitive API requests and responses<\/p>\n

Private keys<\/p>\n

Card payment gateway credentials<\/p>\n

RTSP credentials<\/p>\n

Administrative JWT tokens<\/p>\n

Helpdesk API keys<\/p>\n

Meeting room API keys<\/p>\n

SSH session recordings<\/p>\n

A wide range of personally identifiable information (PII)<\/p>\n

Clearly, the developers using the platforms didn\u2019t realize that when they entered their data, it would be retained and potentially exposed by the sites\u2019 insecure design.<\/p>\n

Weak response<\/h2>\n

The researchers identified many large organizations whose data was exposed in the URLs, including those in government, critical national infrastructure, healthcare, banking, and even a prominent cyber security company.<\/p>\n

One curious discovery was data posted by an MSSP: the Active Directory (AD) username and email credentials belonging to one of its clients, a large US bank. Given that the data wasn\u2019t valid JSON, the researchers surmise that the individual who posted the data was simply using the service to generate a URL through which to share credentials.<\/p>\n

When the researchers tried to alert the affected companies to their data leaks, they were often ignored. \u201cOf the affected organizations that we tried to contact, only a handful (thank you) responded to us quickly. The majority didn\u2019t bother, despite attempts at communication across multiple channels,\u201d said watchTowr principal researcher Jake Knott<\/a>, in a blog.<\/p>\n

\u201cWe don\u2019t need more AI-driven agentic agent platforms; we need fewer critical organizations pasting credentials into random websites,\u201d he said.<\/p>\n

To see whether the exposure been noticed by others, watchTowr generated its own test credentials to be scraped from the sites and set them up in a honeypot to see if anyone tried to use them.<\/p>\n

\u201cAnd then, the big \u2018surprise\u2019\u2026 we got our first hit, indicating somebody was poking around these datasets. We\u2019re not alone \u2013 someone else is already scraping these sources for credentials, and actively testing them,\u201d said Knott.<\/p>\n

CSO Online<\/em> contacted both sites for a response to watchTowr\u2019s research, but had not heard back by press time. However, the \u2018save\u2019 facility on both sites has now been disabled with the following message:<\/p>\n

\u201cSave facility temporarily disabled: We are stopping save facility to prevent NSFW content and working on to make it better. We understand this may be inconvenient, but we\u2019re taking proactive measures to ensure our platform remains safe and appropriate for all users.\u201d <\/p>\n

The \u2018Recent Links\u2019 feature, however, was still accessible on one of the two, Code Beautify.<\/p>\n

Researchers at watchTowr have a knack of spotting unusual exposures. Earlier this month, the company revealed that Fortinet had patched<\/a> a zero-day vulnerability in its FortiWeb WAF platform two weeks before revealing its existence to customers.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

A large trove of sensitive credentials, authentication keys, configuration data, tokens, and API keys has been potentially exposed by developers using two popular code formatting sites, security company watchTowr has discovered. In an industry that normally worries about criminal activity, watchTowr\u2019s research on the JSON Formatter and Code Beautify code utility sites shines light on […]<\/p>\n","protected":false},"author":0,"featured_media":5946,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5945","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5945"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5945"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5945\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5946"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5945"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5945"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5945"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}