Postman is logging all your secrets and environment variables
I was originally investigating this report that Postman is not HIPAA compliant. I found that Postman is not just wholly unsuitable for anyone testing a healthcare application — it has virtually zero regard for the privacy of any of its users, and has probably logged every secret string you have ever given it.
Charles Proxy
This investigation would not have been possible (or so effortless) without Charles Proxy. It is $50 for a lifetime license — when you cancel your $49/month enterprise seat at Postman after reading this post, please consider supporting truly ethical software developers by purchasing a license, even if it’s just to verify my findings for yourself.
The first thing you’ll notice is that Postman logs a lot of stuff. Before you even interact with the app in any way, hundreds of network requests have been fired off to a constellation of analytics tools and third-party integrations.
This is actually quite common in modern software, which tends to follow the ethos of log everything.
Certificate pinning
To inspect the encrypted traffic flowing to Postman endpoints, you will need to enable SSL proxying and bypass the certificate pinning.
Once you set up a spoofed root certificate, you can start to see the decrypted payloads that are being sent to Postman’s servers.
Postman leaks secrets
This was so trivially easy to find that I was genuinely surprised nobody else is making a big deal about this. If I create an environment variable and set it to “secret”, it might be hidden from the rest of my team, but it’s definitely not hidden in the logs sent to Postman.
It doesn’t matter if you set an environment variable as secret or not — whether or not it is masked on the screen, Postman will capture it via the resolvedRequestUrl string, which captures the state of the URL string after inserting secret variables.
The Postman UI has a popup with a bold claim, that variables are a way to “protect sensitive data” — this is a verifiable lie if my supposedly sensitive data is being sent to your logs in plain text.
Just to be precise on what the problem is here:
- If I create a secret string, I don’t want you to send it to your company servers. I don’t see how that is an unreasonable expectation.
- While it seems like some care was taken to not log any headers, it is entirely possible for PHI and sensitive data to end up in Postman logs from the URL and query parameter logging.
If you really must use Postman
At least add this to your /etc/hosts file, so the analytics endpoints that are logging your secrets stop receiving them.
127.0.0.1 bifrost-https-v4.gw.postman.com
127.0.0.1 bifrost-v4-global.gw.postman.comA note about ethics
Why is there no Hippocratic Oath for software developers? Postman is probably not the only tool where the employees are stashing your unencrypted strings in unencrypted places.
Now if I carry out this oath, and break it not, may I gain for ever reputation among all men for my life and for my art; but if I break it and forswear myself, may the opposite befall me.
