Someone Walked Off With Your API Secrets from the Postman

Agyei Masters -

Man... I hope y’all read the disclaimer page. Again.

This might be more of a rant and not much practical stuff this time... Oh... it’s been a while too huh...Yea...Life been doing its thing...Anyways...

The Reckless Exposure of Sensitive Data

If you're a developer, odds are you've used Postman at some point...it’s like that Swiss Army knife that makes working with APIs a breeze. But, we need to talk about the reckless exposure of sensitive data through this handy tool. Can we help it? Probably… if we’re willing to stop being lazy and pay attention. Okay...maybe I shouldn't be mean...but seriously...

Why Should I Care?

Alright, so picture this: we’re building "Everybody's Favorite Fastfood Delivery App" and we store our APIs on Postman and leave them public for everyone to see... A Total Disaster. Someone might see it and decide to order themselves some free chicken automatically every day for life with a simple script all because that data was exposed.

Don't believe me that its possible? Go search through some public Postman collections. I’ll wait... Okay, maybe don't actually do that because it’s probably illegal depending on your intent 🤷‍♂️. But trust me, it's out there, and it’s bad. Imagine you’re an attacker (let's not actually do it, but imagine it). All you need to do is skim through some publicly shared Postman collections, and boom—you’ve got keys to the kingdom.

The Real-Life Example

Above...You can see I went and searched for a random company and found test data that shouldn't be exposed. Attempts were made to report it but the company doesn't have an active "Responsible Disclosure Policy"...another rant for another day/blog.

See that image above again? Yeah, that’s a live access token that could be used to authenticate to the API. Imagine if someone found this (with malicious intent)...suddenly they can access the system, place orders, or perform any action that the token allows, potentially leading to a complete disaster. Someone could automate the process, ordering free food every day 😉 😉 or even worse, accessing customer information and wreaking havoc. And before anyone gets any ideas, this is not me encouraging you to go do this. Please don't. 

But What If I Use an Environment?

WELP... The number of people that don’t realize that their "environments" can also end up public is staggering. You think you're clever using Postman environments to separate secrets, but the problem is, if your collection is public and that environment data goes with it… you've still got a leaky boat my friend. Your keys are out there, sitting pretty, waiting for someone to stumble upon them.

So what should I do?
  1. Stop making everything public. Like seriously, Postman isn’t your Instagram feed; don’t share everything with the world.
  1. Use Collections responsibly. Make sure your collections are private unless you want the world to play around with your endpoints. I’m pretty sure your boss won’t like that.
  1. Environment Variables Are NOT Always Safe. Make sure they don’t end up exposed with your collections. If you must use them, sanitize before sharing. Make dummy tokens or something.

How to Not Leave Your API Collections Hanging Out Like Dirty Laundry

Alright, for those of you who actually need to put a public API collection out there, I got you. Here’s how you make sure you don’t leave anything important hanging out like dirty laundry:

  1. Remove Sensitive Data: Do a sweep. Make sure there are no API keys, tokens, passwords, or anything juicy in your collection. If you need to, replace real data with some dummy values.
  2. Use Mock Servers: Instead of exposing your real endpoints, use mock servers that simulate the API responses. Postman can help with that. Keep your real data safe and sound.
  3. Review Environment Variables: If you’re using environment variables, make sure they don’t include anything sensitive before you make that collection public. Dummy values only...don't be the reason someone has access to a lifetime supply of free burgers.
  4. Sanitize Request Headers: Headers like Authorization or Cookie can get you in trouble if left unchecked. Double-check those and clear out anything that could be critical. It’s always the little things that get you.
  5. Limit Scope with Permissions: If you must include an API key, make sure it has minimal permissions. No need to hand over full admin rights—just enough to get by, nothing more.
  6. Document for Safety: Add some notes explaining that this collection is sanitized and meant for public use. It might save someone else from making a dumb mistake... or at least make them think twice.

But Yea...

Like...Real talk. Postman is convenient, yes. But convenience doesn’t mean you get to ignore security. In the wrong hands, those collections of yours are like a buffet for someone who's hungry for access to your backend services.

Please...do better, and remember…share like your career depends on it. Because it just might. 😅

References

GitHub - cosad3s/postleaks: Search for sensitive data in Postman public library.
Search for sensitive data in Postman public library. - cosad3s/postleaks
GitHubcosad3s
GitHub - boringthegod/postmaniac: Postman OSINT tool to extract creds, token, username, email & more from Postman Public Workspaces
Postman OSINT tool to extract creds, token, username, email & more from Postman Public Workspaces - boringthegod/postmaniac
GitHubboringthegod
Exposed Postman Collections
A Significant Security Risk You Should Be Aware Of
MediumUtkarsh Porwal
Hackers Scour Exposed Postman Instances For Credentials and API Secrets | Threat Intelligence | CloudSEK
CloudSEK’s XVigil has observed a spike in exposed Postman instances. This trend is especially concerning because Postman is used by 500,000 organizations and 20 million developers across the world.
CloudSEKCloudSEK Threat Intelligence