For example, a developer making API calls to something like '/product/beta/car_dashboard/automatic_breaks/engage/pedestrian_detection/' may reveal quite a lot. The ExtraHop team raised concerns that developers usually access URLs of internal networks, APIs, and applications, and whoever is collecting this browsing history will gain access to URLs that may reveal details about unreleased products, hidden features, or a company's intranet or internal network structure. Updates pertaining to newer versions are not pushed to this repository. This repository contains codebase for Postman Chrome Extension legacy version - v0.0.1 to v0.9.9. There is no connection between the two extension besides the same name.īecause of its features, Postman is usually found installed on Chrome browsers used by web developers.Īn extension collecting browsing history might sound benign, but in a phone call today, the ExtraHop team told ZDNet that this behavior is extremely worrisome when observed in this particular case. Today, we’re proud to announce a new beta version of Postman that we’ve been working on to address a wide range of requests from our fantastic user community: Postman on the web. Postman Chrome Extension Legacy Version n.
For the rest of this article, the name Postman will be used to refer to the malicious extension, and not the legitimate one. The extension, which has over 27,000 installs, is a blatant clone of Postman, a very popular Chrome extension that can be used for testing and real-time editing of API requests.