"However, it turned out that the sites were also exposing the real data through a separate 'Recent Links' feature. By querying the sites' /service/getDataFromID API endpoint, watchTowr was able to extract the content behind each link from 80,000+ downloaded submissions, five years of historical JSON Formatter content, one year of historical Code Beautify content, 5GB+ of enriched data, annotated JSON data, plus thousands of secrets. These included:"
"Active Directory credentials Code repository authentication keys Database credentials LDAP configuration information Cloud environment keys FTP credentials CI/CD pipeline credentials Full, and sensitive API requests and responses Private keys Card payment gateway credentials RTSP credentials Administrative JWT tokens Helpdesk API keys Meeting room API keys SSH session recordings A wide range of personally identifiable information (PII) Clearly, the developers using the platforms didn't realize that when they entered their data, it would be retained and potentially exposed by the sites' insecure design."
Sites provided a 'Save' feature that generated shareable URLs containing user-submitted code and data. Anyone with access to those URLs could retrieve the original submissions. A separate 'Recent Links' feature and the /service/getDataFromID API further exposed stored content. Researchers extracted over 80,000 submissions, five years of JSON Formatter history, one year of Code Beautify history, and more than 5GB of enriched annotated data. The exposed items included credentials, API keys, private keys, configuration details, recordings, and extensive PII. Developers unintentionally left sensitive production and personal data vulnerable due to insecure site design.
Read at InfoWorld
Unable to calculate read time
Collection
[
|
...
]