/service/getDataFromID API endpoint, watchTowr was able to extract the content behind each link from 80,000+ downloaded submissions, five years of historical JSON Formatter content, one year of historical Code Beautify content, 5GB+ of enriched data, annotated JSON data, plus thousands of secrets. These included:
Active Directory credentialsCode repository authentication keysDatabase credentialsLDAP configuration informationCloud environment keysFTP credentialsCI/CD pipeline credentialsFull, and sensitive API requests and responsesPrivate keysCard payment gateway credentialsRTSP credentialsAdministrative JWT tokensHelpdesk API keysMeeting room API keysSSH session recordingsA wide range of personally identifiable information (PII)Clearly, the developers using the platforms didn’t realize that when they entered their data, it would be retained and potentially exposed by the sites’ insecure design. The researchers identified many large organizations whose data was exposed in the URLs, including those in government, critical national infrastructure, healthcare, banking, and even a prominent cyber security company.One curious discovery was data posted by an MSSP: the Active Directory (AD) username and email credentials belonging to one of its clients, a large US bank. Given that the data wasn’t valid JSON, the researchers surmise that the individual who posted the data was simply using the service to generate a URL through which to share credentials.When the researchers tried to alert the affected companies to their data leaks, they were often ignored. “Of the affected organizations that we tried to contact, only a handful (thank you) responded to us quickly. The majority didn’t bother, despite attempts at communication across multiple channels,” said watchTowr principal researcher Jake Knott, in a blog.”We don’t need more AI-driven agentic agent platforms; we need fewer critical organizations pasting credentials into random websites,” he said.To see whether the exposure been noticed by others, watchTowr generated its own test credentials to be scraped from the sites and set them up in a honeypot to see if anyone tried to use them.”And then, the big ‘surprise’”¦ we got our first hit, indicating somebody was poking around these datasets. We’re not alone someone else is already scraping these sources for credentials, and actively testing them,” said Knott.CSO Online contacted both sites for a response to watchTowr’s research, but had not heard back by press time. However, the ‘save’ facility on both sites has now been disabled with the following message:”Save facility temporarily disabled: We are stopping save facility to prevent NSFW content and working on to make it better. We understand this may be inconvenient, but we’re taking proactive measures to ensure our platform remains safe and appropriate for all users.” The ‘Recent Links’ feature, however, was still accessible on one of the two, Code Beautify.Researchers at watchTowr have a knack of spotting unusual exposures. Earlier this month, the company revealed that Fortinet had patched a zero-day vulnerability in its FortiWeb WAF platform two weeks before revealing its existence to customers.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4096193/developers-left-large-cache-of-credentials-exposed-on-code-generation-websites-2.html
