Do you share your passwords with free tools online?
Do you know that most engineers unknowingly expose secure information to unknown service providers? The most common among the kind of information one might share is your own or your applications secret information like identity, passwords.
This post talks about POSTMAN, but it is not the case that POSTMAN is bad. In fact, it is one of the best tools for working with REST APIs, and one of my GOTO tools everyday. But, you need to be aware what information such free tools might save about you and your applications and how. And, if you use some features that might save your passwords in plain text it might, in some cases, be harmful!
Postman is a REST API client and one of it's features is to allow storing the history of API requests a developer has made, and that gets saved on their servers. Good thing about this feature is that it allows developers to access the same set of requests on multiple devices by syncing all the info.
However, the point of concern here is that Postman doesn't guarantee that the stored information would be secure. And people could have requests saved, in postman, for getting AAD token using their credentials. Which is a big security threat.
Refer Postman EULA and look for the section "Ownership and Sharing of Content" https://www.getpostman.com/licenses/postman_base_app
So, with this post I want to request people (especially developers) to be cautious in using the sign-in feature of such tools and ensure if they really want to save their information on 3rd party servers, and sometimes in plain text.
I am sure there would be lot of other tools where people might be accidentally/unknowingly sharing their credentials/identity.
With this post I would like to request people to think about such tools and share with everyone, so that we collectively build a secure work-space for everyone.
Have a happy and secure coding!
