The proliferation of cloud services and DevOps has led to increased usage of application programming interfaces (APIs). And many developers rely on services like Postman to design, build, test, and streamline their APIs. CloudSEK’s XVigil has observed a spike in exposed Postman instances. This trend is especially concerning because Postman is used by 500,000 organizations and 20 million developers across the world.

The Threat

With the popularity and ubiquity of Postman, threat actors have increasingly shown interest in the publicly available Postman instances in order to extract critical information. XVigil has discovered multiple Postman public workspaces and API documentation exposing credentials and sensitive API endpoints. [caption id="attachment_21881" align="alignnone" width="1362"] XVigil alert of a Postman public workspace exposing credentials and sensitive API endpoints[/caption]  

Impact

Publicly available Postman instances that contain sensitive information can be exploited by threat actors in the following ways

• API secrets can be used to access API endpoints and steal, modify, or delete data, depending on the API functionality.
• Credentials can be used to gain unauthorized access to accounts and internal networks to steal sensitive files and information.
• PII can be leveraged to orchestrate social engineering attacks, phishing campaigns, and identity theft.
• Threat actors can sell the stolen data, or the access itself, on the dark web.

[caption id="attachment_21882" align="alignnone" width="613"] Threat actors selling data stolen via unauthorized API access[/caption]  

Mitigation Measures

Research shows that companies can face up to billions in losses, due to API related security issues. Hence it is important for organizations to

• Monitor public-facing code repos and Postman instances for API secret leaks and credential leaks.
• Make sure API keys are not made publicly available on Postman workspaces.
• Try to keep their Postman workspace private.

Appendix

• A Postman public workspace exposing an API collection which contained secrets and credentials related to multiple insurance companies. These secrets are meant for internal use of the firms only.

[caption id="attachment_21883" align="alignnone" width="1751"] Screenshot of a Postman instance containing authorization secrets[/caption]  

• A Postman public workspace mentioning the leak of API collection which contained secrets and credentials related to multiple insurance companies.

[caption id="attachment_21884" align="alignnone" width="1374"] Snapshot of the threat classified by XVigil[/caption]