- Many organizations using Postman workspaces are putting their data at risk
- Researchers found tens of thousands of publicly accessible workspaces leaking data
- The leaked data includes sensitive information about third-party APIs.
Many organizations using Postman workspaces are putting their data, employees, customers and partners at risk due to various misconfigurations, experts warned.
CloudSEK’s Triad team discovered more than 30,000 publicly accessible Postman workspaces leaking sensitive information.
For those unfamiliar with Postman, it is a collaborative platform for API development, often used as a public workspace to create, test, share, and manage APIs. Provides tools for developers to optimize the API lifecycle, from design and testing to documentation and deployment.
Widespread misconfigurations
CloudSEK said these tens of thousands of publicly accessible workspaces were leaking sensitive information about third-party APIs, including access tokens, refresh tokens, and third-party API keys. The sensitive information discovered includes administrator credentials, payment processing API keys, and access to internal systems.
Companies of all shapes and sizes were leaking data, from SMEs to large enterprises, the researchers further said. Some owners of the leaked API keys and access tokens are still unidentified, as improper permissions and API throttling prevented researchers from identifying them.
The top affected platforms include GitHub (5,924 exposures), Slack (5,552), and Salesforce (4,206), while the most exposed sectors include healthcare, sports apparel, and financial services.
Misconfigurations are widespread, CloudSEK says, adding that organizations are exposed to “significant security risks,” including “serious financial and reputational damage.”
“Postman workspaces often contain sensitive data, including API keys, tokens, credentials, and documentation,” the researchers said. “When mishandled, this data becomes a treasure trove for malicious actors capable of exploiting vulnerabilities to commit financial fraud, data breaches, and reputational damage.”
CloudSEK said it reported most of the incidents to their respective organizations, but did not mention how many responded or how. He said Postman implemented new security measures, including proactive secret detection and notifications to users when sensitive data is found in public workspaces.
