External attack surface management firm WatchTowr conducted an examination of the JSONFormatter and CodeBeautify online platforms, revealing a critical vulnerability in their Recent Links feature. This functionality unintentionally granted access to JSON snippets that users had saved on the services’ servers, often for the purposes of temporary sharing or formatting. These snippets frequently contained highly sensitive corporate data.
The exposure mechanism was simple yet effective: when a user clicked the ‘save’ button, the platform generated a unique, public URL for that page. Crucially, this URL was then added to the user’s Recent Links page, which was implemented without any protection layer, leaving the saved content accessible to anyone who knew or could guess the link. The predictable, structured URL format of the Recent Links pages made them easy targets for basic scraping and retrieval.
Leveraging this lack of protection, WatchTowr’s researchers successfully scraped these public “Recent Links” pages. By pulling the raw data using the platforms’ getDataFromID API endpoints, they amassed a significant dataset. This collection included over 80,000 user pastes, representing five years of data from JSONFormatter and one year from CodeBeautify, all containing various sensitive details.
The range of exposed information was extensive and alarming, impacting numerous high-risk sectors like government, critical infrastructure, banking, insurance, aerospace, healthcare, education, cybersecurity, and telecommunications. The leaked data included: Active Directory credentials, cloud and database credentials, private keys, code repository tokens, CI/CD secrets, API tokens, payment gateway keys, and even SSH session recordings. Furthermore, large amounts of personally identifiable information (PII), including know-your-customer (KYC) data, were also discovered.
Specific examples highlighted the severity of the leak, such as finding an AWS credential set utilized by an international stock exchange’s Splunk SOAR system, and bank credentials exposed within an MSSP onboarding email. In another instance, researchers uncovered “materially sensitive information” belonging to a cybersecurity company. This sensitive content included encrypted credentials for a highly sensitive configuration file, SSL certificate private key passwords, external and internal hostnames and IP addresses, and detailed paths to critical files like keys, certificates, and configuration files.
Reference:
