A report from cybersecurity firm RedHunt Labs has revealed the exposure of thousands of sensitive corporate secrets on public code formatting and sharing platforms. Researchers identified over 12,000 unique secrets that were inadvertently leaked by users on websites such as jsonformatter.org and codebeautify.org.

Nature and Scale of the Exposed Secrets

The leaked data included a wide range of sensitive information, such as API keys for services like AWS, GitHub, Google, and OpenAI. Also discovered were database credentials, private keys, authentication tokens, and complete configuration files. The exposed secrets belonged to a diverse set of organizations, including Fortune 500 companies, government bodies, universities, and technology firms. Specific entities impacted included a US state government, a major US healthcare provider, and one of the world’s largest automobile manufacturers.

Mechanism of the Data Leak

The exposures occurred when developers and other users pasted code snippets and data containing sensitive information into these online tools for formatting, validation, or sharing. These platforms often generate publicly accessible URLs for the submitted content, which can then be indexed by search engines. One platform, codebeautify.org, featured a ‘Recent’ section that publicly listed recently pasted data, making the discovery of secrets straightforward for the researchers. Following the disclosure from RedHunt Labs, this ‘Recent’ section was removed by the platform’s operators.

Source: https://www.securityweek.com/thousands-of-secrets-leaked-on-code-formatting-platforms/