Introduction

During the course of daily development activities, many developers leak sensitive information by using hosted services.

Paste sites

Paste sites such as Pastebin or GitHub Gists are an easy way to share text. Unfortunately these are often used by developers to share logs, configuration, or secrets without considering the implications of information leakage. Despite the fact that some paste sites have various levels of privacy settings, any usage of these sites puts the data in a location that is not under the developer or company’s control. In fact, use of these sites by developers likely violates many companies’ information security policies.

A simple solution to this problem is to provide developers with an alternative that is maintained by the company. A self-hosted system such as GitLab or another self-hosted purpose built paste application connected to the corporate identity provider would be ideal.

JWT decoder

A specific case of information leakage is the use of online JWT decoders.

According to https://jwt.io/introduction/, “Since tokens are credentials, great care must be taken to prevent security issues.”

Yet on https://jwt.io/#debugger, there is a helpful debugger where developers can paste their tokens. Although the page says “We do not record tokens, all validation and debugging is done on the client side.”, exceedingly few users will verify this claim at all and verification must be done at every use since the Javascript can be altered at any time. In particular, a targeted attack could return malicious Javascript to exfiltrate tokens from specific users, while serving client side only Javascript to all other users.

Local JWT Alternative

The risk of using hosted services is too great. Developers should use a local alternative such as PyJWT.

pip install pyjwt
pyjwt --key=secret decode TOKEN
pyjwt decode --no-verify TOKEN

Conclusion

Developers should be aware of their use of hosted services and the security implications of information leakage. Security teams should socialize information security policies and internal tooling teams should make alternatives to hosted services available.