- Many organizations using Postman workspaces are putting their data at risk
- Researchers found tens of thousands of publicly accessible workspaces leaking data
- The data leaked is includes sensitive information about third-party API
Many organizations using Postman workspaces are putting their data, employees, customers, and partners at risk, due to various misconfigurations, experts have warned.
CloudSEK’s Triad team uncovered more than 30,000 publicly accessible Postman workspaces leaking sensitive information.
For those unfamiliar with Postman, it is a collaborative platform for API development, often used as a public workspace for creating, testing, sharing, and managing APIs. It provides tools for developers to streamline the API lifecycle, from design and testing to documentation and deployment.
Widespread misconfigurations
CloudSEK said these tens of thousands of publicly accessible workspaces were leaking sensitive information about third-party API, including access tokens, refresh tokens, and third-party API keys. Sensitive information uncovered includes administrator credentials, payment processing API keys, and access to internal systems.
Companies of all shapes and sizes were leaking data, from SMBs to large enterprises, the researchers further said. Some owners of the leaked API keys and access tokens are still unidentified, since inadequate permissions and API limitation prevented researchers from identifying them.
Major platforms impacted include GitHub (5,924 exposures), Slack (5,552), and Salesforce (4,206), while most exposed sectors include healthcare, athletic apparel, and financial services.
The misconfigurations are widespread, CloudSEK says, adding that organizations are exposed to “significant security risks”, which includes “severe financial and reputational damage.”
“Postman workspaces often contain sensitive data, including API keys, tokens, credentials, and documentation,” the researchers said. “When mishandled, this data becomes a treasure trove for malicious actors capable of exploiting vulnerabilities for financial fraud, data breaches, and reputational damage.”
CloudSEK said it reported most of the incidents to its respective organizations, but did not discuss how many responded, and how. It did say that Postman implemented new security measures, which include proactive secret detection and user notifications when sensitive data is found in public workspaces.
