🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
Sensitive data leaks in Postman workspaces pose significant risks, exposing API keys, credentials, and tokens that can lead to unauthorized access, data breaches, and reputational harm. A year-long investigation revealed over 30,000 publicly accessible workspaces leaking sensitive information, including business data and customer PII. Improper access controls, accidental sharing, and storing data in plaintext were major contributors to these vulnerabilities. Adopting best practices like using environment variables, limiting permissions, and implementing external secrets management is critical to mitigate these risks and secure collaborative development environments.
Protect your code, systems, and sensitive information from leaks—take action now and safeguard your digital assets today.
Schedule a Demo
In the fast-paced world of API development and testing, Postman has emerged as a go-to tool for developers and organizations. Its ease of use, versatility, and collaborative features make it indispensable. However, with great power comes great responsibility—and risks. Postman environments often house sensitive data, from API keys and tokens to confidential business logic, making it a potential goldmine for malicious actors when mishandled.
Sensitive information like API keys, documentation, credentials, and tokens often ends up exposed through Postman collections, creating serious security vulnerabilities. Using CloudSEK’s XVigil, we uncovered multiple instances of sensitive data being unintentionally leaked, underscoring the critical need for better security practices and awareness.
One of the leading organizations in the Athletic Apparel and Footwear industry could have been compromised due to one of the private Postman workspace being leaked by a 3rd party vendor. The requests in the workspace are being made to the Okta IAM of the organization along with the valid credentials and access token. With that access any threat actor could have accessed other internal APIs of that brand mentioned in the Postman Workspace. Due to these accesses, malicious actors could exfiltrate various invoices, trade contents, attributes, shipment details along with various commercial data.
Impact Analysis:
A major healthcare firm could have succumbed to a major data leak leaking customer information as well as access to the support portal with full administrator privileges due to a public Postman workspace that was discovered leaking highly sensitive information, including active ZenDesk admin credentials. This kind of exposure is a ticking time bomb, potentially opening the door to customer data breaches and unauthorised access to the organisation’s ZenDesk support portal—risks that could severely impact both reputation and finances.
The exposed ZenDesk credentials, still active, could allow malicious actors to log into the support portal with full admin privileges. This means they could perform critical actions, like creating or modifying Community Articles in the organization’s name, further amplifying the potential damage.
During our investigation, we came across multiple instances of Razorpay API keys being accidentally exposed in publicly shared Postman workspaces. These keys, designed to enable secure communication with Razorpay’s API, were left unprotected, making them vulnerable to unauthorized access.
This kind of oversight could easily allow threat actors to exploit the exposed keys, potentially leading to financial fraud or misuse of payment systems. It’s a stark reminder of the importance of securing sensitive credentials, especially in collaborative environments.
Leaked API keys can have devastating consequences, including unauthorized transactions that lead to financial losses, breaches exposing sensitive customer data, and significant reputational damage as trust and compliance take a hit. Businesses may also face operational disruptions, as revoking and regenerating keys while addressing the fallout from misuse can interrupt normal workflows.
We discovered a serious leak in a public Postman workspace where a refresh token and session secret of a major CRM software were exposed. To make matters worse, the API endpoint for generating access tokens was also included, allowing unauthorized users to potentially exploit the entire token lifecycle.
The leak of the refresh token and session secret opens the door to serious risks. Attackers could use them to generate valid access tokens, giving them unauthorized access to sensitive APIs. This not only puts data at risk but also allows for session hijacking, where user sessions can be exploited for data theft or service misuse. Worse yet, if other details are also exposed, attackers could escalate their access, compromise systems further, or even impersonate legitimate users, making the impact even more severe.
The requests in the workspace are being made to the New Relic API (Logs Monitoring and Analytics Software) of a big software company along with the valid API Key. Threat Actors can gain access to log files, microservices, internal endpoints, and headers. This may give them access to system and application logs, product usage data, network traffic data, and user credentials, which provide a wealth of information about your company and its internal infrastructure.
For POC purposes, we also reproduced the query mentioned in the exposed Postman workspace. This query will generate a public URL for a given dashboard page entity GUID. The dashboard page can then be accessed in the form of a static snapshot in the resulting public URL.
Upon visiting the URL in the browser, you will get the dashboard details.
In this case, a Postman workspace was found publicly exposing API documentation, including details about endpoints, request parameters, authentication methods, and error codes. To make matters worse, a working token was also leaked.
This kind of exposure can have serious consequences: attackers could use the detailed endpoint information to exploit vulnerabilities or access restricted resources, significantly increasing the attack surface for targeted threats like SQL injection or denial-of-service attacks. Additionally, competitors or malicious actors might gain insights into proprietary business logic, jeopardizing confidentiality and giving them an unfair advantage.
In this particular case, the api was used to send whatsapp messages on behalf of the organization with their whatsapp account. Using the token researchers were able to take complete control over the account and can send any kind of sms/message to the user, this could be easily used to phish users to install a malicious software or get their credentials.
Several common scenarios and practices lead to sensitive data leaks within Postman. These often lack from inadequate access controls, accidental sharing, and insecure storage practices.
A Postman collection is a structured group of API requests, organized with relevant data like parameters, headers, and authentication details, designed to simplify testing and collaboration.
Here are some typical causes of data exposure:
One of Postman’s strongest features is its collaboration capability, allowing team members to share collections and environments for efficient development. However, this can also lead to unintended exposure if sensitive data is embedded in shared collections. When environments containing sensitive variables are shared across teams or with external collaborators, unauthorized users may gain access to confidential information.
In some cases, Postman collections and environment files are synced or exported and stored in public repositories like GitHub. If sensitive data isn’t masked or sanitized before these files are uploaded, it becomes accessible to anyone with access to the repository. This is a common vulnerability, as developers may inadvertently publish tokens or secrets without realizing the impact.
Postman allows users to set different levels of permissions, but misconfigured access controls can lead to broad access where only restricted access should be allowed. If sensitive environments are shared organization-wide or even made public by mistake, this can result in a substantial data leak.
Postman often saves environment variables and other data in plaintext format, which can be viewed by any user with access to the Postman workspace or environment file. This lack of encryption for locally stored or shared sensitive information makes it susceptible to exposure, especially on shared or compromised devices.
In API testing, it’s common to use tokens to authenticate requests. Many teams opt for long-lived tokens to avoid constant re-authentication. However, if these tokens are not rotated frequently or are hardcoded into Postman, they can become high-value targets. If exposed, these tokens could provide prolonged unauthorized access to systems.
Sensitive data exposure within Postman can have significant consequences for both individual developers and entire organizations. A leaked API key or access token, for example, can provide attackers with direct access to critical systems and data, potentially leading to:
A Postman workspace is a collaborative environment where users can organize and share API collections, environments, and other resources with team members for streamlined development and testing.
The data highlights a concerning discovery of over 30k Postman Public collections exposing sensitive API keys and credentials across a wide range of platforms and services. Here are some critical insights:
This data underscores a significant gap in API security practices and emphasizes the urgent need for stricter controls on how API keys and credentials are managed in collaborative development environments. A pie chart visualizing the proportions could further highlight the concentration of leaks among the top services.
Sensitive information is often used within Postman to authenticate and communicate with APIs. This data typically includes:
To keep your sensitive data safe in Postman, here are some best practices:
Commendations to the Postman Security Team for their prompt and effective response in strengthening platform security. Following the disclosure of our findings, they implemented a comprehensive secret-protection policy to mitigate the exposure of sensitive data, such as API keys, in public workspaces. This policy proactively notifies users if secrets are detected, offering resolutions and facilitating transitions to private or team workspaces. These decisive measures underscore Postman’s dedication to user safety and the integrity of their Public API Network. Learn more about these updates here.
Take action now
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.
Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.
Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.
Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.
12
min read
Sensitive data leaks in Postman workspaces pose significant risks, exposing API keys, credentials, and tokens that can lead to unauthorized access, data breaches, and reputational harm. A year-long investigation revealed over 30,000 publicly accessible workspaces leaking sensitive information, including business data and customer PII. Improper access controls, accidental sharing, and storing data in plaintext were major contributors to these vulnerabilities. Adopting best practices like using environment variables, limiting permissions, and implementing external secrets management is critical to mitigate these risks and secure collaborative development environments.
In the fast-paced world of API development and testing, Postman has emerged as a go-to tool for developers and organizations. Its ease of use, versatility, and collaborative features make it indispensable. However, with great power comes great responsibility—and risks. Postman environments often house sensitive data, from API keys and tokens to confidential business logic, making it a potential goldmine for malicious actors when mishandled.
Sensitive information like API keys, documentation, credentials, and tokens often ends up exposed through Postman collections, creating serious security vulnerabilities. Using CloudSEK’s XVigil, we uncovered multiple instances of sensitive data being unintentionally leaked, underscoring the critical need for better security practices and awareness.
One of the leading organizations in the Athletic Apparel and Footwear industry could have been compromised due to one of the private Postman workspace being leaked by a 3rd party vendor. The requests in the workspace are being made to the Okta IAM of the organization along with the valid credentials and access token. With that access any threat actor could have accessed other internal APIs of that brand mentioned in the Postman Workspace. Due to these accesses, malicious actors could exfiltrate various invoices, trade contents, attributes, shipment details along with various commercial data.
Impact Analysis:
A major healthcare firm could have succumbed to a major data leak leaking customer information as well as access to the support portal with full administrator privileges due to a public Postman workspace that was discovered leaking highly sensitive information, including active ZenDesk admin credentials. This kind of exposure is a ticking time bomb, potentially opening the door to customer data breaches and unauthorised access to the organisation’s ZenDesk support portal—risks that could severely impact both reputation and finances.
The exposed ZenDesk credentials, still active, could allow malicious actors to log into the support portal with full admin privileges. This means they could perform critical actions, like creating or modifying Community Articles in the organization’s name, further amplifying the potential damage.
During our investigation, we came across multiple instances of Razorpay API keys being accidentally exposed in publicly shared Postman workspaces. These keys, designed to enable secure communication with Razorpay’s API, were left unprotected, making them vulnerable to unauthorized access.
This kind of oversight could easily allow threat actors to exploit the exposed keys, potentially leading to financial fraud or misuse of payment systems. It’s a stark reminder of the importance of securing sensitive credentials, especially in collaborative environments.
Leaked API keys can have devastating consequences, including unauthorized transactions that lead to financial losses, breaches exposing sensitive customer data, and significant reputational damage as trust and compliance take a hit. Businesses may also face operational disruptions, as revoking and regenerating keys while addressing the fallout from misuse can interrupt normal workflows.
We discovered a serious leak in a public Postman workspace where a refresh token and session secret of a major CRM software were exposed. To make matters worse, the API endpoint for generating access tokens was also included, allowing unauthorized users to potentially exploit the entire token lifecycle.
The leak of the refresh token and session secret opens the door to serious risks. Attackers could use them to generate valid access tokens, giving them unauthorized access to sensitive APIs. This not only puts data at risk but also allows for session hijacking, where user sessions can be exploited for data theft or service misuse. Worse yet, if other details are also exposed, attackers could escalate their access, compromise systems further, or even impersonate legitimate users, making the impact even more severe.
The requests in the workspace are being made to the New Relic API (Logs Monitoring and Analytics Software) of a big software company along with the valid API Key. Threat Actors can gain access to log files, microservices, internal endpoints, and headers. This may give them access to system and application logs, product usage data, network traffic data, and user credentials, which provide a wealth of information about your company and its internal infrastructure.
For POC purposes, we also reproduced the query mentioned in the exposed Postman workspace. This query will generate a public URL for a given dashboard page entity GUID. The dashboard page can then be accessed in the form of a static snapshot in the resulting public URL.
Upon visiting the URL in the browser, you will get the dashboard details.
In this case, a Postman workspace was found publicly exposing API documentation, including details about endpoints, request parameters, authentication methods, and error codes. To make matters worse, a working token was also leaked.
This kind of exposure can have serious consequences: attackers could use the detailed endpoint information to exploit vulnerabilities or access restricted resources, significantly increasing the attack surface for targeted threats like SQL injection or denial-of-service attacks. Additionally, competitors or malicious actors might gain insights into proprietary business logic, jeopardizing confidentiality and giving them an unfair advantage.
In this particular case, the api was used to send whatsapp messages on behalf of the organization with their whatsapp account. Using the token researchers were able to take complete control over the account and can send any kind of sms/message to the user, this could be easily used to phish users to install a malicious software or get their credentials.
Several common scenarios and practices lead to sensitive data leaks within Postman. These often lack from inadequate access controls, accidental sharing, and insecure storage practices.
A Postman collection is a structured group of API requests, organized with relevant data like parameters, headers, and authentication details, designed to simplify testing and collaboration.
Here are some typical causes of data exposure:
One of Postman’s strongest features is its collaboration capability, allowing team members to share collections and environments for efficient development. However, this can also lead to unintended exposure if sensitive data is embedded in shared collections. When environments containing sensitive variables are shared across teams or with external collaborators, unauthorized users may gain access to confidential information.
In some cases, Postman collections and environment files are synced or exported and stored in public repositories like GitHub. If sensitive data isn’t masked or sanitized before these files are uploaded, it becomes accessible to anyone with access to the repository. This is a common vulnerability, as developers may inadvertently publish tokens or secrets without realizing the impact.
Postman allows users to set different levels of permissions, but misconfigured access controls can lead to broad access where only restricted access should be allowed. If sensitive environments are shared organization-wide or even made public by mistake, this can result in a substantial data leak.
Postman often saves environment variables and other data in plaintext format, which can be viewed by any user with access to the Postman workspace or environment file. This lack of encryption for locally stored or shared sensitive information makes it susceptible to exposure, especially on shared or compromised devices.
In API testing, it’s common to use tokens to authenticate requests. Many teams opt for long-lived tokens to avoid constant re-authentication. However, if these tokens are not rotated frequently or are hardcoded into Postman, they can become high-value targets. If exposed, these tokens could provide prolonged unauthorized access to systems.
Sensitive data exposure within Postman can have significant consequences for both individual developers and entire organizations. A leaked API key or access token, for example, can provide attackers with direct access to critical systems and data, potentially leading to:
A Postman workspace is a collaborative environment where users can organize and share API collections, environments, and other resources with team members for streamlined development and testing.
The data highlights a concerning discovery of over 30k Postman Public collections exposing sensitive API keys and credentials across a wide range of platforms and services. Here are some critical insights:
This data underscores a significant gap in API security practices and emphasizes the urgent need for stricter controls on how API keys and credentials are managed in collaborative development environments. A pie chart visualizing the proportions could further highlight the concentration of leaks among the top services.
Sensitive information is often used within Postman to authenticate and communicate with APIs. This data typically includes:
To keep your sensitive data safe in Postman, here are some best practices:
Commendations to the Postman Security Team for their prompt and effective response in strengthening platform security. Following the disclosure of our findings, they implemented a comprehensive secret-protection policy to mitigate the exposure of sensitive data, such as API keys, in public workspaces. This policy proactively notifies users if secrets are detected, offering resolutions and facilitating transitions to private or team workspaces. These decisive measures underscore Postman’s dedication to user safety and the integrity of their Public API Network. Learn more about these updates here.