Postman Delivering Secrets
In February of 2021, Postman launched a public API platform where developers could collaborate to build software. Now in 2024, Postman has the largest collection of public APIs. Naturally, this makes it a prime target for attackers.
APIs connect web applications, allowing platforms to communicate with one another for seamless exchange of data and more. In the past decade, API use has skyrocketed to account for over 83% of web traffic today. And with this growth, API attacks have also been steadily rising. According to Gartner, 90% of web-enabled applications will have more attack surface area in exposed APIs rather than in the user interface.
In February of 2021, Postman launched a public API platform where developers could collaborate to build software. Now in 2024, Postman has the largest collection of public APIs. Naturally, this makes it a prime target for attackers.
Additionally, the user interface and naming system of the platform are confusing for developers, making it easy for them to make mistakes and leave their sensitive data vulnerable to attack. And as usual, development has taken center stage while security is not seen as a priority to many, resulting in a high volume of leaked secrets.
These secrets consist primarily of URIs, or Uniform Resource Identifiers,GitHub tokens, authentication codes, Postman API keys, login credentials and other sequences that could be exploited to gain access and control of a variety of platforms. The exact quantity of secrets leaked is hard for researchers to gauge, because the Postman platform has a limited search function. However, the number estimated was in the thousands and this was a low ball park.
If not addressed properly, these leaked secrets could lead to catastrophic consequences for those involved.
API security is a top concern in today’s cyber climate. Staying on top of API security can be a challenge in an environment saturated with threats, where rapid development is often preferred over slow and secure progress. And keeping sensitive data private can be even trickier on platforms where secrets easily slip through the cracks for hackers and bad actors to snatch up.
A strong API security posture should start with visibility and include authentication, authorization, alerting and monitoring, an API inventory, and centralized dashboard to keep track of all your API activity. FireTail has engineered a hybrid solution to API security that has everything you and your team need to bolster your cybersecurity posture. Want to learn more? Schedule a free 30 minute demo with us here.
.png)
