How Online Code-Formatting Tools Became Accidental Secret-Sharing Platforms

When developers reach for online code-formatting tools like JSONFormatter or CodeBeautify, they’re usually seeking a quick fix for messy code—not a headline-making data breach. Yet, a seemingly innocuous feature, the “Recent Links” page, has turned these platforms into accidental treasure troves for cybercriminals. Researchers at WatchTowr uncovered that thousands of secrets—ranging from bank credentials to government access keys—were left exposed, all thanks to public, easily guessable URLs and a lack of access controls (BleepingComputer).

The scale is jaw-dropping: over 80,000 user-submitted pastes, more than 5GB of sensitive data, and secrets from some of the world’s most security-conscious sectors. The problem isn’t just technical—it’s also human. Developers, often under pressure, may not realize that sharing a snippet for troubleshooting could mean broadcasting confidential information to the world. With attackers actively scanning these platforms and even testing fake credentials within hours, the risk is far from theoretical. This issue highlights the intersection of usability, security, and the ever-present challenge of human error in the digital age (BleepingComputer).

How Code-Formatting Tools Became Accidental Secret-Sharing Platforms

The Unintended Consequences of Online Code Formatting

Online code-formatting tools, such as JSONFormatter and CodeBeautify, were designed to help developers quickly format, beautify, and validate code snippets, especially in popular formats like JSON. However, a critical oversight in their design—specifically, the implementation of the “Recent Links” feature—has inadvertently transformed these platforms into large-scale, unintentional repositories for sensitive information. This vulnerability was brought to light by researchers at WatchTowr, who discovered that thousands of secrets from high-risk sectors had been exposed via these platforms (BleepingComputer).

The “Recent Links” feature allows users to save formatted code snippets and share them via unique URLs. These URLs are then listed publicly, with no authentication or access controls, making them easily discoverable by anyone, including malicious actors. The predictable structure of these URLs further exacerbates the risk, as automated crawlers can systematically enumerate and harvest them.

Scale and Scope of the Exposure

The magnitude of the exposure is staggering. Over a five-year period, researchers collected more than 80,000 user-submitted pastes, totaling over 5GB of data, from JSONFormatter alone. CodeBeautify contributed additional data from a one-year window. These pastes contained a wide array of sensitive information, including but not limited to:

• Active Directory credentials
• Database and cloud service credentials
• Private cryptographic keys
• Code repository tokens
• Continuous Integration/Continuous Deployment (CI/CD) secrets
• Payment gateway keys
• API tokens
• SSH session recordings
• Personally identifiable information (PII), including know-your-customer (KYC) data

Notably, the exposed data originated from organizations in sectors such as government, banking, critical infrastructure, insurance, aerospace, healthcare, education, cybersecurity, and telecommunications. In some cases, the data included credentials for major financial institutions, configuration files for cybersecurity companies, and even AWS credentials used by international stock exchanges (BleepingComputer).

Mechanisms of Accidental Disclosure

The accidental disclosure of secrets via code-formatting tools can be traced to several interrelated factors:

Lack of Access Controls

The absence of authentication or access restrictions on the “Recent Links” pages means that any user—malicious or otherwise—can access the saved snippets. The platforms do not require login credentials or provide any means of restricting access to the links, making them publicly available by default.

Predictable URL Patterns

The URLs generated for saved snippets follow a structured and predictable pattern. This allows attackers to write simple scripts or crawlers that can systematically enumerate possible URLs and scrape the content. The lack of randomness or complexity in the URL structure significantly lowers the barrier for mass harvesting of secrets.

User Misunderstanding of Platform Behavior

Many users are unaware that saving a snippet for sharing on these platforms results in public exposure. Developers may assume that their data is private or ephemeral, not realizing that it is being indexed and made accessible to anyone with the link. This misunderstanding is compounded by the lack of clear warnings or documentation on the platforms regarding the public nature of saved links.

Inadvertent Inclusion of Sensitive Data

Developers often use online formatters to troubleshoot or share configuration files, logs, or code snippets that may contain embedded secrets. In the rush to resolve issues or collaborate with colleagues, they may inadvertently include credentials, API keys, or other sensitive information in the snippets they upload.

Real-World Examples of Sensitive Data Exposure

The exposure is not theoretical; researchers have documented numerous instances of highly sensitive data being leaked. For example, a managed security service provider (MSSP) inadvertently leaked Active Directory credentials for its own environment, as well as email and ID-based credentials for a major U.S. bank—its largest and most heavily advertised client. In another case, a cybersecurity company’s configuration file, containing encrypted credentials, SSL certificate private key passwords, and both internal and external hostnames and IP addresses, was found publicly accessible (BleepingComputer).

The researchers also found AWS credential sets used by an international stock exchange’s Splunk SOAR system, as well as onboarding emails containing credentials for banks. The diversity and sensitivity of the exposed data highlight the systemic nature of the problem and the potential for significant harm if exploited by threat actors.

Evidence of Active Exploitation

To assess whether attackers were already exploiting these accidental disclosures, WatchTowr researchers conducted a controlled experiment. They generated fake but valid-looking AWS access keys using the Canarytokens service and embedded them in JSON snippets saved on both JSONFormatter and CodeBeautify. These snippets were accessible via links set to expire in 24 hours.

Remarkably, the honeypot system recorded access attempts using the fake keys within 48 hours of the initial upload and save. This demonstrates that malicious actors are actively scanning these platforms for exposed secrets and attempting to leverage them for unauthorized access or further attacks (BleepingComputer).

The Role of Third-Party Security Providers in the Exposure

A particularly concerning aspect of the exposure is the involvement of third-party security providers. Managed security service providers (MSSPs) are often entrusted with the most sensitive credentials and configurations of their clients. The discovery that an MSSP leaked not only its own Active Directory credentials but also those of a major banking client underscores the risks associated with third-party access and the need for stringent security controls.

The exposure of client credentials by an MSSP could facilitate supply chain attacks, where threat actors compromise a trusted provider to gain access to multiple downstream targets. This risk is amplified when the provider serves clients in critical sectors such as finance, government, or healthcare.

The Impact on Regulatory Compliance and Data Privacy

The public exposure of sensitive data via code-formatting tools has significant implications for regulatory compliance and data privacy. Organizations operating in regulated sectors—such as banking, healthcare, and government—are subject to strict requirements regarding the protection of customer data and the reporting of data breaches.

The inadvertent disclosure of PII, KYC data, and other regulated information via public code-formatting platforms could trigger mandatory breach notifications, regulatory investigations, and substantial fines. For example, under the General Data Protection Regulation (GDPR) in the European Union, organizations must report breaches involving personal data within 72 hours and may face penalties of up to 4% of annual global turnover.

Similarly, financial institutions in the United States are subject to the Gramm-Leach-Bliley Act (GLBA), which mandates the protection of customer information and imposes penalties for unauthorized disclosures. The exposure of sensitive banking credentials or customer data via public platforms could result in significant legal and financial consequences.

The Broader Security Implications for the Software Supply Chain

The accidental exposure of secrets on code-formatting platforms has broader implications for the security of the software supply chain. Credentials, API keys, and configuration files are often used to automate deployments, integrate with third-party services, and manage infrastructure. If these secrets are compromised, attackers can gain unauthorized access to critical systems, manipulate code repositories, or disrupt CI/CD pipelines.

The exposure of SSH session recordings and code repository tokens further increases the risk of lateral movement within organizations and the potential for sophisticated supply chain attacks. Attackers can leverage these credentials to escalate privileges, exfiltrate sensitive data, or introduce malicious code into trusted software components.

Mitigation Strategies and Recommendations for Users

Given the scale and severity of the exposure, it is imperative for organizations and individual developers to adopt robust mitigation strategies:

• Avoid Uploading Sensitive Data: Never upload configuration files, logs, or code snippets containing secrets to public code-formatting platforms. Use local tools or secure, access-controlled environments for handling sensitive information.
• Review Platform Documentation: Familiarize yourself with the privacy and security features of any online tool before use. Ensure you understand whether saved data is publicly accessible and for how long.
• Implement Secrets Management Solutions: Use dedicated secrets management tools to store and manage credentials, API keys, and other sensitive data. Integrate these tools into development workflows to minimize the risk of accidental exposure.
• Monitor for Leaked Credentials: Regularly scan public platforms and repositories for leaked credentials associated with your organization. Use automated tools and services to detect and respond to exposures promptly.
• Educate Developers and Staff: Provide training on secure coding practices and the risks associated with sharing code and configuration files online. Emphasize the importance of removing secrets before sharing or troubleshooting code.

Platform Provider Responsibilities and Potential Remediation

While users bear responsibility for safeguarding their secrets, platform providers also have a critical role to play in preventing accidental disclosures:

• Implement Access Controls: Require authentication or provide options to restrict access to saved snippets. Allow users to designate links as private or set expiration periods.
• Randomize URL Structures: Use sufficiently random and complex URL patterns to prevent automated enumeration and scraping.
• Display Clear Warnings: Prominently display warnings to users when saving or sharing snippets, alerting them to the public nature of the data.
• Offer Secure Alternatives: Provide secure, access-controlled options for sharing code snippets, such as one-time links or encrypted sharing mechanisms.
• Regularly Audit and Purge Data: Periodically review and remove old or inactive snippets to minimize the risk of long-term exposure.

The Ongoing Risk Landscape

The findings from WatchTowr and the subsequent media coverage underscore the ongoing risks associated with online code-formatting tools. As threat actors continue to scan for exposed secrets and organizations increasingly rely on third-party platforms for development and collaboration, the potential for accidental disclosure remains high.

Organizations must remain vigilant, continuously assess their exposure, and implement layered security controls to mitigate the risks associated with accidental secret sharing on public platforms. The lessons learned from this incident should inform future platform design, user education, and regulatory oversight to prevent similar exposures in the future (BleepingComputer).

Final Thoughts

The accidental exposure of secrets through code-formatting tools is a wake-up call for both developers and platform providers. As organizations increasingly rely on third-party services and cloud-based tools, the boundaries of responsibility blur—but the consequences of a slip-up remain severe. Real-world incidents, like the leakage of banking credentials and AWS keys, show that even the most trusted sectors are vulnerable when convenience trumps caution (BleepingComputer).

Mitigation isn’t just about better technology; it’s about fostering a culture of security awareness, implementing robust secrets management, and demanding more from the platforms we trust. As AI and IoT expand the attack surface, and as supply chain threats become more sophisticated, vigilance and proactive controls are non-negotiable. The lessons from this analysis should drive not just technical fixes, but a broader shift in how we approach digital trust and collaboration.

References

• Cimpanu, C. (2024, June 10). Code formatters expose thousands of secrets from banks, govt, tech orgs. BleepingComputer. https://www.bleepingcomputer.com/news/security/code-formatters-expose-thousands-of-secrets-from-banks-govt-tech-orgs/