- Many organizations utilizing Postman workspaces are placing their knowledge in danger
- Researchers discovered tens of hundreds of publicly accessible workspaces leaking knowledge
- The info leaked is consists of delicate details about third-party API
Many organizations utilizing Postman workspaces are placing their knowledge, workers, prospects, and companions in danger, attributable to varied misconfigurations, consultants have warned.
CloudSEK’s Triad group uncovered greater than 30,000 publicly accessible Postman workspaces leaking delicate info.
For these unfamiliar with Postman, it’s a collaborative platform for API growth, usually used as a public workspace for creating, testing, sharing, and managing APIs. It supplies instruments for builders to streamline the API lifecycle, from design and testing to documentation and deployment.
Widespread misconfigurations
CloudSEK mentioned these tens of hundreds of publicly accessible workspaces had been leaking delicate details about third-party API, together with entry tokens, refresh tokens, and third-party API keys. Delicate info uncovered consists of administrator credentials, cost processing API keys, and entry to inner methods.
Firms of all styles and sizes had been leaking knowledge, from SMBs to giant enterprises, the researchers additional mentioned. Some homeowners of the leaked API keys and entry tokens are nonetheless unidentified, since insufficient permissions and API limitation prevented researchers from figuring out them.
Main platforms impacted embody GitHub (5,924 exposures), Slack (5,552), and Salesforce (4,206), whereas most uncovered sectors embody healthcare, athletic attire, and monetary companies.
The misconfigurations are widespread, CloudSEK says, including that organizations are uncovered to “vital safety dangers”, which incorporates “extreme monetary and reputational harm.”
“Postman workspaces usually comprise delicate knowledge, together with API keys, tokens, credentials, and documentation,” the researchers mentioned. “When mishandled, this knowledge turns into a treasure trove for malicious actors able to exploiting vulnerabilities for monetary fraud, knowledge breaches, and reputational harm.”
CloudSEK mentioned it reported many of the incidents to its respective organizations, however didn’t talk about what number of responded, and the way. It did say that Postman carried out new safety measures, which embody proactive secret detection and consumer notifications when delicate knowledge is present in public workspaces.