(The) Postman Carries Lots of Secrets
tl;dr Postman, the popular API testing platform, hosts the largest collection of public APIs. Unfortunately, it’s become one of the largest public sources of leaked secrets. We estimate over 4,000 live credentials are currently leaking publicly on Postman for a variety of popular SaaS and cloud providers.
In this article, we share our research on credential exposure on Postman. Want to scan a Postman workspace with TruffleHog right now? Try our new command:
A few years ago, to compete with RapidAPI and others, Postman launched a public network for developers to “share and showcase” their APIs.
Postman users make their private workspaces and collections public for the entire world to use. On the surface, the idea of conveniently sharing API documentation with others sounds great, especially since so many API developers already work out of Postman.
Unfortunately, an unclear UI and ambiguous taxonomy has created an environment where developers are unintentionally leaking thousands of secrets. This has created a significant opportunity for attackers to steal credentials.
/https://public-media.si-cdn.com/filer/a3/17/a31738aa-3394-4f35-b77c-cf537f6fb17c/gettyimages-579860044_web.jpg)
