Two websites intended to help software developers format and structure their code have exposed thousands of login credentials, authentication keys, and other highly sensitive information.
Cybersecurity researchers found that this sensitive data belonged to organizations in many high-risk sectors like government, banking, and healthcare …
JSONFormatter and CodeBeautify are two online tools that allow software developers to paste in their code and have it turned into a more readable format. However, when they save their results to reference later, whatever they include in their links is left completely exposed to anyone.
The issue is that in many cases the links included embedded credentials, authentication keys, and other highly sensitive information that could enable hackers to gain access to those systems.
Bleeping Computer reports that cybersecurity company watchTowr found over five years’ worth of JSONformatter data and a year of CodeBeautify data containing a wide array of sensitive information.
- Active Directory credentials
- Database and cloud credentials
- Private keys
- Code repository tokens
- CI/CD secrets
- Payment gateway keys
- API tokens
- SSH session recordings
- Large amounts of personally identifiable information (PII), including know-your-customer (KYC) data
- An AWS credential set used by an international stock exchange’s Splunk SOAR system
- Credentials for a bank exposed by an MSSP onboarding email
Ironically, this included sensitive information from an easily-identifiable cybersecurity company.
At the time of writing, the links are still freely accessible on both platforms.
Highlighted accessories
Photo by James Harrison on Unsplash
FTC: We use income earning auto affiliate links. More.
