Researchers at CloudSEK have uncovered a significant security threat involving the exposure of over 30,000 public workspaces on Postman, a popular cloud-based API development and testing platform. The leaks include sensitive data such as API keys, tokens, and administrator credentials, putting businesses and individuals at risk. Platforms like GitHub, Slack, and Salesforce have been impacted, with data leaks attributed to misconfigured access controls, plaintext storage, and public sharing of collections.
According to CloudSEK’s report shared with Hackread.com, organizations across various industries, including healthcare, athletic apparel, and financial services, have been affected. The leaks can lead to severe consequences, such as financial and reputational damage, as the exposed data includes payment processing API keys and access to internal systems.
The exposed API keys and access tokens can provide attackers with direct access to critical systems and data, potentially leading to data breaches and unauthorized system access. Postman stores sensitive information for authentication and communication with APIs, making it crucial for organizations to use environment variables, limit permissions, rotate tokens frequently, and leverage external secrets management tools to ensure data safety.
CloudSEK has responsibly reported most identified incidents to affected organizations to help mitigate risks. The company urges organizations to adopt more reliable security measures and emphasizes the importance of avoiding hardcoding sensitive data, rotating tokens frequently, and double-checking collections before sharing.
In response to these findings, Postman has implemented a secret-protection policy to prevent sensitive data from being exposed in public workspaces. The policy alerts users if secrets are detected and facilitates transitions to private or team workspaces to safeguard sensitive information.
Overall, the exposure of sensitive data in public workspaces on Postman highlights the critical need for organizations to prioritize data security and adopt robust security measures to prevent data leaks and protect sensitive information from falling into the wrong hands.
Various related topics, such as common API vulnerabilities and data exposure incidents in different industries, underscore the pervasive nature of cybersecurity threats and emphasize the importance of proactive risk mitigation strategies in today’s digital landscape.