Hackers Scour Exposed Postman Instances For Credentials and API Secrets
November 30, 2022
•
4
min read
The proliferation of cloud services and DevOps has led to increased usage of application programming interfaces (APIs). And many developers rely on services like Postman to design, build, test, and streamline their APIs.
CloudSEK’s XVigil has observed a spike in exposed Postman instances. This trend is especially concerning because Postman is used by 500,000 organizations and 20 million developers across the world.
The Threat
With the popularity and ubiquity of Postman, threat actors have increasingly shown interest in the publicly available Postman instances in order to extract critical information. XVigil has discovered multiple Postman public workspaces and API documentation exposing credentials and sensitive API endpoints.
XVigil alert of a Postman public workspace exposing credentials and sensitive API endpoints
Impact
Publicly available Postman instances that contain sensitive information can be exploited by threat actors in the following ways
API secrets can be used to access API endpoints and steal, modify, or delete data, depending on the API functionality.
Credentials can be used to gain unauthorized access to accounts and internal networks to steal sensitive files and information.
PII can be leveraged to orchestrate social engineering attacks, phishing campaigns, and identity theft.
Threat actors can sell the stolen data, or the access itself, on the dark web.
Threat actors selling data stolen via unauthorized API access
Mitigation Measures
Research shows that companies can face up to billions in losses, due to API related security issues. Hence it is important for organizations to
Monitor public-facing code repos and Postman instances for API secret leaks and credential leaks.
Make sure API keys are not made publicly available on Postman workspaces.
A Postman public workspace exposing an API collection which contained secrets and credentials related to multiple insurance companies. These secrets are meant for internal use of the firms only.
Screenshot of a Postman instance containing authorization secrets
A Postman public workspace mentioning the leak of API collection which contained secrets and credentials related to multiple insurance companies.