Hackers Scour Exposed Postman Instances For Credentials and API Secrets
November 30, 2022
The proliferation of cloud services and DevOps has led to increased usage of application programming interfaces (APIs). And many developers rely on services like Postman to design, build, test, and streamline their APIs.
CloudSEK’s XVigil has observed a spike in exposed Postman instances. This trend is especially concerning because Postman is used by 500,000 organizations and 20 million developers across the world.
With the popularity and ubiquity of Postman, threat actors have increasingly shown interest in the publicly available Postman instances in order to extract critical information. XVigil has discovered multiple Postman public workspaces and API documentation exposing credentials and sensitive API endpoints.
Publicly available Postman instances that contain sensitive information can be exploited by threat actors in the following ways
API secrets can be used to access API endpoints and steal, modify, or delete data, depending on the API functionality.
Credentials can be used to gain unauthorized access to accounts and internal networks to steal sensitive files and information.
PII can be leveraged to orchestrate social engineering attacks, phishing campaigns, and identity theft.
Threat actors can sell the stolen data, or the access itself, on the dark web.
Research shows that companies can face up to billions in losses, due to API related security issues. Hence it is important for organizations to
Monitor public-facing code repos and Postman instances for API secret leaks and credential leaks.
Make sure API keys are not made publicly available on Postman workspaces.