Users of code formatting platforms are exposing thousands of secrets and other types of sensitive information, attack surface management provider WatchTowr warns.
GitHub found roughly 39 million inadvertently leaked secrets across the platform last year, and previous research has revealed that secrets exposed on Git-based Source Code Management systems (SCMs) remain permanently leaked.
But users’ blunders extend beyond unknowingly hardcoding secrets in code published to public repositories. Every online tool used without proper code sanitization may lead to a leak. And threat actors are hunting them like hawks.
This is the conclusion WatchTowr reached after analyzing roughly 80,000 saved JSON files collected from JSONFormatter and CodeBeautify, platforms that users rely on to ‘beautify’ their code.
In its dataset, the outfit found thousands of sensitive secrets, including credentials, keys, tokens, configuration files, SSH session recordings, sensitive API requests and responses, personally identifiable information (PII), and other types of sensitive information.
In one case, someone apparently exported all credentials for their AWS Secrets Manager to a code formatting solution.
Cybersecurity and critical infrastructure entities affected
The leaked secrets belong to organizations across multiple verticals, including technology and cybersecurity, critical national infrastructure, government, finance, healthcare, aerospace, insurance, banking, education, telecoms, travel, and more.
The problem is not that people use these platforms to format and beautify the code in their enterprise or personal projects.
The issue is that some of them save the projects to create links to the code, which can be shared, and that these platforms allow visitors to scroll through recently saved content and associated URLs.
WatchTowr used the ‘Recent Links’ pages of both JSONFormatter and CodeBeautify to fetch over five gigabytes of JSON data, representing years of historical content.
After analyzing the data, it attempted to contact high-profile organizations impacted by the leaks, and worked with CERT teams to reach more entities.
By placing fake credentials in these JSON formatting platforms, the cybersecurity firm discovered that others were also scraping the databases and that exposed secrets are used within days after being leaked.
“We don’t need more AI-driven agentic agent platforms; we need fewer critical organizations pasting credentials into random websites,” WatchTowr notes.
Related: Many Forbes AI 50 Companies Leak Secrets on GitHub
Related: Files Deleted From GitHub Repos Leak Valuable Secrets
