Thousands of commonly used public workplaces leak data
- Many organizations using Postman workspaces are putting their data at risk
- Researchers found that tens of thousands of publicly accessible workplaces were leaking data
- The leaked data contained sensitive information about the third-party API
Many organizations using Postman workspaces are putting their data, employees, customers and partners at risk due to various misconfigurations, experts warn.
CloudSEK’s Triad team has discovered more than 30,000 publicly accessible Postman workspaces leaking sensitive information.
For those unfamiliar with Postman, it is a collaborative platform for API development, often used as a public workspace for creating, testing, sharing, and managing APIs. It provides tools for developers to streamline the API lifecycle, from design and testing to documentation and implementation.
Widespread misconfigurations
CloudSEK said these tens of thousands of publicly accessible workspaces leaked sensitive information about third-party APIs, including access tokens, refresh tokens, and third-party API keys. Sensitive information exposed includes administrative credentials, payment processing API keys, and access to internal systems.
Companies of all shapes and sizes leaked data, from SMEs to large enterprises, the researchers said. Some owners of the leaked API keys and access tokens remain unidentified, as inadequate permissions and API restrictions prevented researchers from identifying them.
The main platforms affected include GitHub (5,924 exposures), Slack (5,552) and Salesforce (4,206), while the most vulnerable sectors include healthcare, sportswear and financial services.
The misconfigurations are widespread, CloudSEK says, adding that organizations are exposed to “significant security risks,” including “serious financial and reputational damage.”
“Postman workspaces often contain sensitive data, including API keys, tokens, credentials, and documentation,” the researchers said. “If misused, this data becomes a treasure trove for malicious actors who can exploit vulnerabilities for financial fraud, data breaches and reputational damage.”
CloudSEK said it reported most of the incidents to its respective organizations, but did not discuss how many responded and how. It did say that Postman has implemented new security measures, including proactive secret detection and user notifications when sensitive data is found in public workspaces.