Disclaimer: The following article is for informational and awareness purposes only. Any notable findings during this investigation have been reported using the appropriate channels.

Intro

JSON, XML, YAML and other text formats are very popular among software developers. They are used for everything from handling information between a web client and the server, as a method of storing information in a database, or to save application configuration files.

For example, JSON and XML formats are well-defined, and their readability is relatively good for humans… as long as they include the appropriate line breaks. However, line breaks in a file can negatively impact application performance since they only serve to make it easier for humans to read the file. For software, line breaks are irrelevant in a JSON or XML formatted file, so they are usually removed.

Share this code! I mean, format this code!

What happens when a developer encounters a file without line breaks? This, my friends, is where today’s protagonist comes into play: “Beautifiers” or formatters. Performing an internet search like “format JSON,” “beautify JSON,” “format XML,” or “beautify XML” returns as the top results two well-known pages for many readers:

  • https://jsonformatter.org (JSON and XML)
  • https://codebeautify.org (All types of code and text formats)

Both pages work in a very similar way: you paste the unformatted XML or JSON on one side, click “format,” and it shows you a neat version with line breaks and proper indentation. Simple, right?

codebeautify

xmlformatter

What many might not have noticed is that both pages contain a button in their top menu labeled “Recent Links”.

recentlinks

“Recent Links” contains a list of all the links generated from the content pasted by users of both websites. Additionally, it is possible to view a history going back as far as 2015. And wheat is even worse, you can access the content of these generated links.

recentlinks_contents

content

It is therefore possible to see what users of these websites have attempted to format, with no authentication required. But as we all know, no one would use an online page like this to format sensitive data, right? Riiight?

meme

Google is capable of caching and scraping these links and their content, so it is clear they are considered public information.

google

Scraping all the links on both websites in search of sensitive information yields truly surprising results:

  • API keys for highly sensitive services.
  • SSH keys for servers on the internet.
  • Usernames and passwords.
  • Bank account information.
  • Other extremely sensitive data.

And countless amounts of sensitive information as a result of the poor practice of pasting code into untrusted websites.

The “Large American news company” case.

One case that was reported and solved immediately after the discovery a year ago involved one of the biggest American television network. Among the content of one of the aforementioned pages, a connection string to an FTP server could be found, where videos for their main website were stored. This would allow someone to edit, delete, or change the content. For an international news website, this would have a considerably high impact.

newscompany

Again, this was reported and solved immediately.

Conclusion

As a Red Teamer, this kind of websites are a place to look for potential leaks affecting your target. As a developer or user you should never use online services to paste sensitive information of any kind, especially if this information is stored or processed by an untrusted backend with no guarantees. There are local applications, such as Boop on macOS or Visual Studio as a cross-platform option, which include the ability to format any type of code.