Postman is an API platform for developers to design, build and test their APIs. The platform allows users to work in teams and organizations, giving users the option to share their workspace over the Internet. One of the features includes the ability to organize requests (GET, POST, PATCH, etc) on different ‘pages’, with the option to define request parameters, headers, authorization, body and tests. The issue at hand comes into play when request parameters are directly populated with values such as passwords, API tokens and secrets, combined with a workspace which has been shared publicly.
In order to find these workspaces, we use one of the best tools there is; Google Search. In the example below, I am using the ‘site’ search operator combined with a target. The target in my case is all New Zealand based sites with domain ending “co.nz”, but in your case, it could be a company, tool or platform.
As we can see in the screenshot above, we get a variety of workspaces. Not all workspaces will leak information, but in my experience (combined with the right Google Search), most ended up containing some form of unintended disclosure (ranging from PII to service credentials). Exploring one of the entries, as shown in the screenshots below, we can see the password has been leaked for a Gmail account, as well as, authorization token for an endpoint.
Additionally, if a workspace was once public, but has since been made private, remember to check out Google Search cache. Clicking the ‘View source’ button on webcache.googleusercontent.com for the Postman link in question can reveal the token/password/credential, if the value was once accessible.
This technique can be used for non-interactive reconnaissance to gather and harvest credentials which have been leaked accidently. In some cases, the workspace visibility can be enforced at an organisation level, to try prevent this from happening, though developers still have the ability to spin up their own standalone workspace. A simple, yet solution to educate developers and users who use Postman for their day-to-day activities.