Postman API Testing Platform Flaw Exposes Sensitive Credentials

Truffle Security Co. has recently discovered a major vulnerability in Postman, the widely used API testing platform.

This flaw exposed over 4,000 active credentials, creating serious security concerns for the impacted individuals or organizations.

This vulnerability has positioned Postman as one of the largest public sources of leaked secrets, affecting many SaaS and cloud providers.

Postman, renowned for hosting the largest public APIs, introduced a public network a few years ago to allow developers to share and showcase their APIs.

The Scale of Exposure

Truffle Security’s investigation revealed that live secrets from 183 different SaaS and cloud providers, including giants like AWS, GCP, OpenAI, GitHub, and Postman itself, were found leaking on the platform.

The most commonly exposed type of secret was identified as sensitive URIs.

Utilizing Postman’s search API, Truffle Security compiled a list of approximately 40,000 unique workspaces.

Each workspace was then scanned with TruffleHog’s new Postman secret scanner, leading to the discovery of 1,689 live, unique credentials representing 183 different types of secrets.

The exposure of such a vast number of credentials poses a significant risk to the developers and companies involved and the integrity and security of the broader digital ecosystem.

This situation creates a fertile ground for attackers to steal credentials, potentially leading to unauthorized access, data breaches, and other cybercrimes.

Moving Forward

In light of these findings, developers and companies using Postman are urged to review their workspace settings and ensure that no sensitive information is inadvertently made public.

Additionally, Postman may need to revisit its UI and taxonomy to help users understand the implications of making their workspaces public.

Truffle Security Co. has also provided a tool, TruffleHog’s Postman secret scanner, for users to scan their Postman workspaces for exposed secrets, encouraging immediate action to mitigate potential risks.

Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security Awareness Training -> Try Free Demo