Thousands of API Secrets Exposed on Postman – Are Your Credentials At Risk?

Postman API Secrets Exposed

Postman, the tool beloved by developers for testing and building APIs, is unwittingly becoming a treasure trove for hackers. Security firm Truffle Security uncovered a shocking problem: thousands of live API keys, authentication tokens, and sensitive data are readily accessible on Postman’s Public API Network. This leak could have wide-ranging consequences for individuals and organizations alike.

Truffle Security’s latest report, titled “Postman Carries Lots of Secrets,” estimates that there are over 4,000 live credentials currently accessible on Postman, making it a goldmine for potential attackers.

Truffle Security employed their tool, TruffleHog, to scan approximately 40,000 unique workspaces on Postman. They identified 1,689 unique credentials linked to 183 different service providers, including major names like AWS, GCP, OpenAI, and GitHub. The most common type of exposed data was sensitive URIs, which include URLs containing confidential access credentials.

The leakage mainly results from a few factors:

  1. Forks: Similar to GitHub, Postman’s fork feature allows users to duplicate and modify existing collections. Many users mistakenly upload their active credentials when testing these forks, leaving them publicly exposed.
  2. Environment Variables Mismanagement: Postman allows for ‘secret’ and ‘default’ environment variables, which are often misunderstood by users. The ‘secret’ type only obscures the value on-screen, but it is still accessible to anyone viewing the workspace.
  3. Insufficient Secret Scanning: While Postman does offer a secret scanning tool, its effectiveness is limited, and it operates post-publication, often too late to prevent exposure.

Despite identifying a staggering number of leaks, Truffle Security acknowledges that their findings represent just the tip of the iceberg. Given Postman’s claim of hosting over 200,000 workspaces, the real number of exposed secrets could be significantly higher, potentially reaching up to 6,000 or more. This estimate considers that their scan covered less than 20% of the total workspaces.

The exposure of API keys and other sensitive data can lead to severe security breaches, potentially compromising personal and corporate data and incurring substantial financial and reputational damage. To mitigate these risks, Truffle Security recommends several actions:

  • Enhanced User Education: Postman should invest in educating its users about the security implications of their actions within the platform.
  • Improved UI/UX: Simplifying and clarifying the interface could help prevent accidental leaks.
  • Robust Secret Scanning: Implementing more rigorous and preemptive scanning mechanisms could detect and prevent leaks before the data becomes public.

Postman must shoulder some responsibility for improving user education and security tools within its platform. At the same time, this incident highlights that even the most convenient development tools require a security-conscious mindset. Every developer needs to be aware of the potential for leaks and approach public sharing platforms with extreme caution.