CYBERNEWSMEDIA Network:||
CYBERNEWSMEDIA
CYBERNEWSMEDIA

Cybersecurity News, Insights & Analysis

Latest
TrueConf Zero-Day Exploited in Asian Government Attacks
In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware
Critical ShareFile Flaws Lead to Unauthenticated RCE
Mobile Attack Surface Expands as Enterprises Lose Control
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
AD · 970×250

Data Protection

Thousands of Secrets Leaked on Code Formatting Platforms

JSONFormatter and CodeBeautify users exposed credentials, authentication keys, configuration information, private keys, and other secrets. The post Thousands of Secrets Leaked on Code Formatting Platforms appeared first on SecurityWeek.

Developer security vulnerability

Users of code formatting platforms are exposing thousands of secrets and other types of sensitive information, attack surface management provider WatchTowr warns.

GitHub found roughly 39 million inadvertently leaked secrets across the platform last year, and previous research has revealed that secrets exposed on Git-based Source Code Management systems (SCMs) remain permanently leaked.

But users’ blunders extend beyond unknowingly hardcoding secrets in code published to public repositories. Every online tool used without proper code sanitization may lead to a leak. And threat actors are hunting them like hawks.

This is the conclusion WatchTowr reached after analyzing roughly 80,000 saved JSON files collected from JSONFormatter and CodeBeautify, platforms that users rely on to ‘beautify’ their code.

In its dataset, the outfit found thousands of sensitive secrets, including credentials, keys, tokens, configuration files, SSH session recordings, sensitive API requests and responses, personally identifiable information (PII), and other types of sensitive information.

In one case, someone apparently exported all credentials for their AWS Secrets Manager to a code formatting solution.

Cybersecurity and critical infrastructure entities affected

The leaked secrets belong to organizations across multiple verticals, including technology and cybersecurity, critical national infrastructure, government, finance, healthcare, aerospace, insurance, banking, education, telecoms, travel, and more.

The problem is not that people use these platforms to format and beautify the code in their enterprise or personal projects.

The issue is that some of them save the projects to create links to the code, which can be shared, and that these platforms allow visitors to scroll through recently saved content and associated URLs.

WatchTowr used the ‘Recent Links’ pages of both JSONFormatter and CodeBeautify to fetch over five gigabytes of JSON data, representing years of historical content.

After analyzing the data, it attempted to contact high-profile organizations impacted by the leaks, and worked with CERT teams to reach more entities.

By placing fake credentials in these JSON formatting platforms, the cybersecurity firm discovered that others were also scraping the databases and that exposed secrets are used within days after being leaked.

“We don’t need more AI-driven agentic agent platforms; we need fewer critical organizations pasting credentials into random websites,” WatchTowr notes.

Related: Many Forbes AI 50 Companies Leak Secrets on GitHub

Related: Files Deleted From GitHub Repos Leak Valuable Secrets

Related: PyPI Packages Found to Expose Thousands of Secrets

Related: Thousands of Popular Websites Leaking Secrets

Latest News

CYBERNEWSMEDIAPublisher