During the course of daily development activities, many developers leak sensitive information by using hosted services.
Paste sites such as Pastebin or GitHub Gists are an easy way to share text. Unfortunately these are often used by developers to share logs, configuration, or secrets without considering the implications of information leakage. Despite the fact that some paste sites have various levels of privacy settings, any usage of these sites puts the data in a location that is not under the developer or company’s control. In fact, use of these sites by developers likely violates many companies’ information security policies.
A simple solution to this problem is to provide developers with an alternative that is maintained by the company. A self-hosted system such as GitLab or another self-hosted purpose built paste application connected to the corporate identity provider would be ideal.
A specific case of information leakage is the use of online JWT decoders.
According to https://jwt.io/introduction/, “Since tokens are credentials, great care must be taken to prevent security issues.”
Local JWT Alternative
The risk of using hosted services is too great. Developers should use a local alternative such as PyJWT.
pip install pyjwt pyjwt --key=secret decode TOKEN pyjwt decode --no-verify TOKEN
Developers should be aware of their use of hosted services and the security implications of information leakage. Security teams should socialize information security policies and internal tooling teams should make alternatives to hosted services available.