Have you ever used a web-based application to edit up crappy code or better format/organize JSON and make it almost visually appealing? I’m sure I’ve done this many times before without thinking much about it. However, these tools can make your sensitive information (such as passwords & secret tokens) vulnerable.
What Exactly Happed?
Well, a number of researchers recently uncovered that JSONFormatter and CodeBeautify leaked many secrets.
Approximately 80,000 code collections from two well-known publicly available online services (JSONFormatter and CodeBeautify) for cleaning and organizing poor-quality code were obtained by an outside company.
Leaked data often contains many examples of sensitive and private information including:
Numerous pieces of private data were not safeguarded or encrypted. Many of the items included in the leak contain passwords, API keys, usernames/passwords, and session tokens.
It is alarming to think that the consequences which may arise from a single error like this could be significant.
Therefore, if a developer copied an example code with a password, the password could have been made public and viewed by anyone with access to the internet.
What Exactly Happed?
Well, a number of researchers recently uncovered that JSONFormatter and CodeBeautify leaked many secrets.
Approximately 80,000 code collections from two well-known publicly available online services (JSONFormatter and CodeBeautify) for cleaning and organizing poor-quality code were obtained by an outside company.
Leaked data often contains many examples of sensitive and private information including:
- Personal information
- Receipts for money
- Details about medical treatment
- Public records
- Notary documents
Numerous pieces of private data were not safeguarded or encrypted. Many of the items included in the leak contain passwords, API keys, usernames/passwords, and session tokens.
It is alarming to think that the consequences which may arise from a single error like this could be significant.
How This happened?
The tools are designed to assist software developers with formatting code, and providing a wonderful view of the output produced. However, the developer tools had a feature called “Recent Links," which saved your code and made it accessible to the public.Therefore, if a developer copied an example code with a password, the password could have been made public and viewed by anyone with access to the internet.
What Risks Does That Create To The Public?
When passwords and tokens are openly available to the general public, malicious actors can do things like:- Hack systems
- Steal personal information
- Disable systems
- Inflict harm to wallets or security of individuals
Why Should The Average Person Care?
Many non-developers think, "I'm not a developer, why do I care?" But because of how interconnected our world is through social networks and applications, many organizations, including banks and hospitals, store and process sensitive information. Hence, if any of these organizations had their information publicly disclosed, everyday individuals like you and I would suffer the consequences such as:- Losing money
- Having their identities stolen
- Losing access to services
- Disclosing their private data
What Steps Can I Take In Order To Protect?
Here are some recommendations I was given (which I've begun following) to help me be more secure while writing my Code:- Do not use online sites to paste passwords, token, and keys into. It is easy enough to take a paste from your clipboard into a website instead of an online application.
- Utilize an "offline application" (e.g. Notepad) on your computer to format code.
- Be certain to delete any private information prior to sharing or formatting; e.g. password before posting.
- Use secure vaults to store passwords in order to ensure password safety.
