BeyondMemory · Threat Intelligence for SOC and CTI Teams
Platform<br>Solutions<br>Industries<br>Blog<br>Company
HOME/BLOG
Seven Years on a Public Clipboard: Pasted Secrets, Türkiye's Exposure, and a Stored XSS
By: Beyondmemory Research<br>June 3, 2026<br>Security Research
Seven years inside the public "Recent Links" feeds of a family of<br>JSON and code "beautifier" tools. What engineers pasted; whose data it was;<br>what the rise of the AI coding assistant changed; and what a Turkish data<br>controller is supposed to do about the TCKNs and IBANs sitting on a<br>stranger's server right now. And the part we did not go looking for: the<br>formatter itself carries a stored cross-site-scripting flaw, so the service<br>holding all of this data can be made to run an attacker's code in your browser.
A morning at the keyboard, somewhere
It is mid-afternoon at a tax-preparation company in the United States. A<br>document-delivery service keeps failing, so an engineer copies a JSON callback<br>out of the debugger to clean it up: one client's filing, caught mid-pipeline.<br>The record carries the client's name, their Social Security number in the clear,<br>and, a few fields down, a live access key for the cloud queue that ships the<br>document. The engineer pastes it into a public JSON formatter. The formatter<br>saves the paste under a six-hex identifier and adds the resulting URL to its<br>public "Recent Links" feed, where, months later, our scraper retrieves it.
That paste is one of the documents in our corpus. The client is one of several<br>thousand people whose most private records have been routed, in pieces, through<br>this single public service over the years. The vendor does not know. The client<br>does not know. The company's information-security team almost certainly does not<br>know either, because if it did, the paste would not still be retrievable as we<br>write this.
Now move the same scene to Istanbul, or Ankara, or Izmir. A different engineer,<br>a different debugger, the same instinct. The payload that comes out is a retail bank customer's full credit limit and outstanding debt, balances in<br>Turkish lira. Or a taxpayer's invoice lifted straight off the national<br>e-Fatura rails. Or a company's entire member table, the whole roster in one<br>file. The instinct is identical, the tool is identical, and so is the<br>outcome: the data is gone the moment it leaves the laptop.
The pattern is not new. What has changed in recent years is the shape of who is doing it,<br>what they are pasting, and, increasingly, why. This is a report on that<br>change, and on Türkiye's specific, measurable place inside it.
Why a JSON formatter, and why now
There is nothing remarkable about a JSON formatter as a piece of software. It<br>accepts a blob of text, indents it, and offers a button to save the result<br>under a shareable URL. The remarkable part is that millions of engineers, every<br>year, choose to do their debugging through one, and that the service, by<br>default in many cases, publishes the saved paste on its own public listing<br>page.
watchTowr Labs documented this surface in November 2025 on a sample of roughly<br>80,000 documents. Our work extends and quantifies theirs: around 200,000 documents, more than<br>double their sample, collected over roughly seven years, ending May 2026, then<br>read and sorted by what<br>each one actually held: personal data, sector context, and a category that did<br>not exist in the pre-LLM corpus: the workflow exhaust of human-AI interaction.
And jsonformatter.org is only one storefront. The same operator runs<br>codebeautify.org and a family of sibling "beautifier" tools that share a<br>single save backend and a single pool of saved pastes, so a link saved through<br>one is retrievable through the others. We harvested that shared pool across its<br>sibling tools (jsonformatter.org, codebeautify.org, and the rest), reaching<br>back roughly seven years. The documents this report analyses are the<br>validated, deduplicated core of that harvest; the raw multi-tool surface behind<br>them is larger still.
The headline number: at least 1,078 documents in this corpus carry a<br>high-confidence flag for one or more named credentials, identifiers, or live<br>secrets, and a further 2,167 carry the same flags at medium confidence. If you<br>have ever debugged a production payload in a formatter on the open internet, the<br>corpus probably contains your work. The point of this report is to argue that<br>this is a structural problem, to show its shape in 2026 specifically, and to<br>put a number on what it means for one country's regulated sectors.
How we collected it (and what we did not do)
Every document referenced here was retrieved by issuing the same HTTP request<br>the operator's own front-end issues to render the paste-viewer page. We did not<br>bypass any authentication, because there was none to bypass; the endpoint is<br>unauthenticated and the listing surface enumerates the identifiers. A<br>residential proxy budget and a Saturday afternoon will replicate the corpus we<br>describe at single-figure dollar cost. The hard problem was...