Headline
Postman Workspaces Leak 30000 API Keys and Sensitive Tokens
Thousands of Postman workspaces leaked sensitive data like API keys and tokens. Learn best practices to secure your API development environment and protect your organization
****SUMMARY****
30,000 Public Workspaces Exposed: CloudSEK identifies massive data leaks from Postman workspaces.
Sensitive Data at Risk: Leaks include API keys, tokens, and administrator credentials.
Major Platforms Affected: GitHub, Slack, and Salesforce among the impacted services.
Key Causes: Misconfigured access, plaintext storage, and public sharing of collections.
Mitigation Steps: Use environment variables, rotate tokens, and adopt secret management tools.
On December 23, 2024, CloudSEK’s TRIAD team identified critical security vulnerabilities and risks from the misuse of Postman Workspaces, a popular cloud-based API development and testing platform.
In their year-long investigation, researchers found over 30,000 publicly accessible workspaces leaking sensitive information about third-party APIs, including access tokens, refresh tokens, and third-party API keys, posing severe risks to businesses and individuals alike.
Via CloudSec
According to the company’s report shared with Hackread.com, leaked data spanned organizations across various industries, from small businesses to large enterprises, impacting major platforms like GitHub, Slack, and Salesforce. Critical sectors affected included healthcare, athletic apparel, and financial services, exposing organizations to numerous threats and security risks.
Researchers noted that common practices leading to these data leaks include inadvertent sharing of Postman collections, misconfigured access controls, syncing with publicly accessible repositories, and storing sensitive data in plaintext without encryption.
These vulnerabilities can lead to severe consequences. The leaked data, which included administrator credentials, payment processing API keys, and access to internal systems, can lead to financial and reputational damage for the affected organizations.
Sensitive data exposure within Postman can have significant consequences for both individual developers and entire organizations. Reportedly, top API services like api.github.com, slack.com, and hooks.slack.com have the most exposed secrets. High-profile services like Salesforce.com, login.microsoftonline.com, and graph.facebook.com have also been exposed.
Leaked Credentials of ZenDesk and leaked Razorpay API key (Via CloudSec)
A leaked API key or access token can provide attackers with direct access to critical systems and data, potentially leading to data breaches, unauthorized system access, and increased phishing and social engineering attacks.
Postman often stores sensitive information like API keys, secrets, and PII for authentication and communication with APIs. To ensure data safety, organizations should use environment variables wisely, limit permissions, avoid long-lived tokens, use external secrets management, and double-check before sharing any collection or environment.
CloudSEK responsibly reported most identified incidents to affected organizations, helping mitigate risks. To prevent such exposures, CloudSEK urges organizations to adopt more reliable security measures, such as using environment variables to avoid hardcoding sensitive data, limiting permissions, rotating tokens frequently, leveraging secrets management tools, and double-checking collections before sharing.
Moreover, Postman has implemented a secret-protection policy to prevent sensitive data from being exposed in public workspaces following the disclosure of these findings. The policy alerts users if secrets are detected, offers resolutions, and facilitates transitions to private or team workspaces.
“Starting this month, we are removing public workspaces with known exposed secrets from the Public API Network. As we roll out this policy change, owners of public workspaces containing secrets will be notified and have the opportunity to remove their exposed secrets before that workspace is removed from the network,” the company noted.
- The Most Common API Vulnerabilities
- OwnCloud “graphapi” App Flaw Exposes Sensitive Data
- Urlscan.io API Inadvertently Leaked Sensitive Data and URLs
- Automotive Industry Exposed to Have Major API Vulnerabilities
- Millions impacted as payment API flaws exposed transaction keys