Cybersecurity researchers at RedHunt Labs have uncovered a significant data exposure incident involving thousands of sensitive secrets published on the popular online developer tools, JSONFormatter and CodeBeautify. The exposure stemmed from the tools’ feature of generating publicly accessible URLs for data that users submitted for formatting or beautification, a function of which many users were unaware.
The data was pasted into the web applications by users and subsequently made public through generated links or ‘bins’. This unintended publication left a vast amount of confidential information accessible on the internet. Because these public URLs were indexed by search engines, the sensitive data became easily discoverable by anyone.
Details of the Exposed Information
The investigation by RedHunt Labs revealed a wide variety of highly sensitive information. The publicly available data included AWS credentials, database credentials, and API keys for prominent services such as Stripe, Twilio, and Google. Additionally, researchers found private keys for SSH and PGP, authentication tokens, server configuration files, and raw usernames and passwords.
The exposed secrets were linked to numerous organizations, including a US-based telecommunications company, whose customers’ personally identifiable information (PII) was exposed. Other identified data belonged to a major Asian airline, which had its database credentials published, and a leading car manufacturer, which had internal data exposed through the platforms.
Reporting and Remediation
Upon discovering the widespread data exposure, RedHunt Labs promptly reported their findings to the administrators of both JSONFormatter and CodeBeautify. According to the researchers, the website administrators acknowledged the issue and have since taken action to address the reported security lapse. The incident highlights the risks associated with pasting sensitive information into online tools without fully understanding their data handling and sharing policies.
Concise Cyber 