Title: Major Data Leak Threatens Security of Thousands of Postman Workspaces
In a concerning development for cybersecurity, researchers have revealed a significant data leak involving Postman, the popular cloud-based platform for API development and testing. This alarming trend points to the improper management of Postman workspaces, resulting in over 30,000 publicly accessible collections that expose sensitive information. Such vulnerabilities carry the potential for widespread data breaches and unauthorized exploitation across different sectors.
The investigation, conducted by the TRIAD Team over the course of a year, uncovered critical cases of leakage involving sensitive data elements such as API keys, access tokens, refresh tokens, and proprietary user information. These data exposures were identified across numerous organizations, ranging from small startups to large enterprises, indicating a pervasive risk that can facilitate malicious activities, including the launch of cyberattacks and the exfiltration of confidential material.
Among the notable instances of data exposure, a major athletic apparel brand faced potential internal API manipulation due to leaked Postman workspaces from a third-party vendor, endangering Okta IAM credentials. An unauthorized user gaining access to these credentials could have potentially compromised sensitive business data like invoices and shipping information, raising critical concerns about the implications of such unauthorized access.
In another instance, a healthcare organization inadvertently exposed active Zendesk administrator credentials through a shared Postman workspace, putting customer data and the integrity of the entire support portal at risk. This situation could have enabled malicious actors to manipulate support operations, escalated phishing attacks, and jeopardized financial and reputational standing.
The threats extend to financial sectors as well, with Razorpay API keys found exposed in several public Postman workspaces. This violation not only jeopardizes transaction security but risks unauthorized financial transactions that could lead to considerable fraud. Similarly, refresh tokens and session secrets of a CRM software platform were publicly visible, allowing attackers to hijack sessions or directly access critical systems.
Significant factors contributing to these leaks involve the inadvertent sharing of sensitive API collections without proper sanitization and the careless management of access controls. Teams may unknowingly expose critical information when sharing resources, while poorly configured permissions can facilitate unauthorized access to sensitive workspaces. Furthermore, the storage of sensitive data in plaintext and the use of long-lived tokens without rotation markedly increase the risk of data theft.
The TRIAD Team’s analysis reveals the extent of the problem, identifying numerous incidents involving major API services such as GitHub and Salesforce—further emphasizing the need for robust security practices in collaborative environments. Effective measures are essential to mitigate risks, including the use of environment variables to store sensitive data securely and the implementation of strict permission controls.
Recognizing the seriousness of this situation, Postman has bolstered its security policies by introducing a secret-protection measure that alerts users to sensitive data within public workspaces and guides them toward corrective actions. This proactive approach underscores the company’s commitment to safeguarding user data and enhancing the security of its Public API Network.
These recent disclosures serve as a critical reminder of the importance of stringent API security measures, particularly for organizations engaged in collaborative software development. As APIs play a pivotal role in modern applications, maintaining their security is paramount to protecting sensitive data and preserving trust in the digital marketplace.
In terms of the attack vectors likely utilized, this incident may involve multiple MITRE ATT&CK tactics such as initial access through the inadvertent exposure of sensitive credentials, persistence via improperly configured APIs, and privilege escalation due to mismanaged access controls. By understanding these strategies, organizations can better prepare to thwart potential data breaches and secure their digital assets.
