What the Research Found
watchTowr Labs published research on November 25, 2025 showing that saved submissions on popular online formatter services could expose the exact data developers had pasted into those tools. The researchers focused on JSONFormatter and CodeBeautify, then collected more than 80,000 saved pieces of JSON and related code before stopping their crawl.
The exposed material included credentials, private keys, API tokens, administrative JWTs, customer PII, internal endpoints, build configuration, and security hardening scripts. TechRadar's follow-up coverage reported the same core finding: formatter and beautifier workflows were leaking sensitive data from organizations in critical infrastructure, government, finance, healthcare, telecom, technology, and other sectors.
Why Formatter Workflows Leak
The risk was not JSON parsing itself. It came from product behavior around pasted input. The researched sites offered save and sharing flows, plus public recent-link pages that made saved entries easy to discover. A developer who only wanted to pretty-print an API response could accidentally turn that payload into a recoverable web resource.
That distinction matters for JSON tooling. A formatter, validator, diff tool, or Base64 decoder often sees production-like payloads because developers use these tools during debugging. If the tool uploads input to a server, logs request bodies, stores shared links, or exposes a recent history view, a routine paste can become a data exposure path.
The Local-First Lesson
Browser-based local processing changes the default risk profile. When JSON repair, validation, formatting, diffing, Base64 decoding, and URL decoding happen inside the browser tab, the pasted payload does not need to travel to an application server just to be inspected.
Local-first design is not a license to paste secrets everywhere. Hosting, analytics, advertising scripts, extensions, screenshots, and user mistakes can still create risk. But keeping the core parsing and transformation path in the browser removes the most direct server-side storage and sharing failure that watchTowr documented.
Guidance for Developers
Treat any save, share, recent, or permalink feature as publication unless the tool proves otherwise. For payloads that include credentials, JWTs, API keys, customer data, database exports, or private configuration, redact first and prefer tools that can work without uploading the content.
Teams should also rotate any secret that has been pasted into an untrusted formatter, update internal guidance for API debugging, and use OWASP-style secrets management controls instead of relying on Base64, obscurity, or short-lived shared links. The safer developer workflow is boring: local tools for inspection, secrets managers for credentials, and sanitized examples for anything that leaves the workstation.