Researchers uncovered a widespread and alarming trend involving data leaks from Postman, a widely used cloud-based API development and testing platform.
The investigation reveals that improper management of Postman workspaces has resulted in over 30,000 publicly accessible collections exposing sensitive data, potentially paving the way for massive data breaches and unauthorized misuse.
The TRIAD Team’s year-long analysis highlighted critical cases in which sensitive data such as API keys, access tokens, refresh tokens, and even proprietary user data were inadvertently leaked via public Postman collections.
These incidents were reported across organizations of all sizes and from various industries. The exposed data represents a significant security risk, enabling threat actors to launch malicious campaigns, abuse legitimate services, and exfiltrate confidential information.
While some leaks can be attributed to API limitations and misconfigurations, in many cases, the root cause remains unidentified. In all instances, the TRIAD Team responsibly reported the vulnerabilities to the affected organizations, helping mitigate potential harm.
2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide
Examples of Data Exposure and Potential Impacts
1. Okta IAM API Leak in the Athletic Industry
A major athletic apparel company faced the risk of internal API manipulation due to leaked Postman workspaces from a third-party vendor. By gaining access to Okta IAM credentials and tokens stored in these workspaces, a malicious actor could potentially exfiltrate sensitive business data, such as invoices, shipment details, and trade-related information.
Unauthorized access to internal APIs could result in far-reaching consequences, including data breaches, financial losses, and reputational damage. Without robust monitoring systems, detecting such unauthorized actions would be challenging.
2. Zendesk Admin Credentials Leak in Healthcare
A healthcare firm inadvertently exposed active Zendesk administrator credentials through a shared Postman workspace. This risked a catastrophic breach, endangering both customer data and the organization’s entire support portal.
Malicious actors could exploit these credentials to access customer data, manipulate support operations, and even create phishing schemes, causing severe financial and brand damage.
3. Razorpay API Key Leak
Razorpay API keys were found exposed in multiple Postman workspaces, leaving payment systems vulnerable to abuse. This lapse could enable attackers to perform unauthorized transactions, leading to financial fraud.
The exposure of payment API keys could interrupt operations, tarnish user trust, and force organizations to overhaul their systems while addressing financial losses.
4. CRM Token Leaks
A Postman workspace publicly exposed a refresh token and session secrets of a CRM software platform, alongside an endpoint to generate access tokens. This granted attackers the ability to hijack sessions or access sensitive systems directly.
Unauthorized access to CRM systems could lead to data theft, service misuse, and further escalation of attacks through API-level exploitation.
5. New Relic API Credentials Exposure
A major software company’s New Relic API keys were unintentionally shared via Postman, enabling potential access to internal logs, microservices, and operational data.
Such exposure could reveal proprietary insights into system infrastructure, user activity, and business operations, giving attackers an upper hand.
The investigation identified several factors contributing to these unintended leaks, including:
Teams often inadvertently share API collections that contain sensitive data without properly sanitizing them. Similarly, developers may accidentally upload unmasked credentials to public platforms like GitHub, exposing critical information.
Misconfigured access controls further exacerbate the risk, as poorly managed permissions can allow unauthorized access to sensitive workspaces. Additionally, storing sensitive information in plaintext within Postman collections or environment files makes it easily accessible to unauthorized parties.
The use of long-lived tokens without regular rotation compounds these issues, heightening the risk of data theft if such tokens are exposed.
TRIAD’s research also highlighted large-scale exposure across popular API services:
- GitHub API: 5,924 leaked credentials.
- Slack API: Over 10,000 combined leaks.
- Salesforce, Microsoft, Razorpay, and others were heavily affected, emphasizing the pervasive nature of the issue.
To prevent such data leaks, the TRIAD Team advocates the following best practices:
- Use Environment Variables: Avoid hardcoding sensitive data and instead store them securely in environment variables.
- Restrict Permissions: Share collections and environments only with authorized personnel and audit permissions regularly.
- Rotate Tokens Frequently: Employ short-lived tokens and automate their rotation whenever possible.
- Leverage Secrets Management Tools: Use external tools to store and manage sensitive information securely.
- Conduct Regular Security Audits: Monitor access logs and review shared collections for potential vulnerabilities.
Postman’s Response
Acknowledging the severity of these findings, Postman has enhanced its security measures by implementing a secret-protection policy. This policy proactively warns users when sensitive data is detected in public workspaces and guides them toward corrective actions.
These updates underscore Postman’s commitment to safeguarding user data and improving its Public API Network’s security
The TRIAD Team’s findings highlight the critical importance of robust API security practices in collaborative environments. Organizations must prioritize secure handling of API credentials and raise awareness among developers to mitigate risks associated with tools like Postman.
As APIs continue to power modern applications, ensuring their security is imperative to protect sensitive data and maintain trust in digital ecosystems.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free