Back in 2014, the increasingly popular Postman REST client was a Chrome app that you could install from the Chrome Web Store. Since then, Google deprecated chrome apps and Postman on your computers is installed as a standalone app. It is available cross-platform. Postman itself has moved on from being just a REST client to a complete API Development Environment. While we have more and more users migrating to our standalone apps every month, we still have users who use the deprecated Chrome app, primarily as a REST client.
A fake app appears
Recently, we received a security report about a seemingly fake extension resembling Postman on the Chrome Web Store. The security team at Postman got to work as soon as the incident was reported.
At a quick glance, this extension appeared to be a developer tool with the basic functionality that Postman offers, and looked very similar. We found that this extension was already downloaded 27,000 times. On investigating further, we found that this extension was sending user data to a server controlled by an attacker. This made all of the users of this extension a potential target for a data breach.
Postman does not publish any more apps or extensions on the Chrome Web Store. Any app or extension published there that resembles Postman, irrespective of how many downloads it has, is dangerous to use. Once such an app has been installed on a user’s system, depending on the access it has, there is no guarantee what it can do — it can steal confidential data, install spyware or other back-doors in the system, just to name a few possibilities.
How we identified the risks (Hint: Automation)
The security team at Postman is responsible for regular vulnerability assessments, penetration testing, security monitoring, and investigating suspicious activities flagged by security monitors.
Since that incident, the security team wanted to proactively check for such fake apps and extensions which use Postman’s brand identity to coax users and report them to Google so that they can be taken down. We created a Postman Collection that scans the Chrome Web Store for potential fake listings.
The collection filters through the search results, comparing each entry with the characteristics of a fake Postman app. On a match, collection reports that app or extension to our security team as a message to our private Slack channel. We mounted this collection on a Monitor to have it run regularly so that the identification process can be automated without further effort. If we spot anything suspicious, we manually look into these extensions and see if they need to be reported.
Our checklist to identify fake and malicious apps and extensions
We have two requests in that collection.
In the first request, we define a set of characteristics that identify an app as a fake Postman app. This request includes test scripts for:
- whether an app’s or extension’s title or developer name mentions the word ‘Postman’,
- identifying other keywords in the app/extension description, such as ‘REST client’, ‘API testing’, etc.
- looking at category, rating, and reviews for similarities with the Postman brand.
There is no public or partner APIs available for the Chrome Web Store that we are aware of. So, we simulated an actual search query for the keyword “postman” in this request.
The second request in the collection is executed only when a potential candidate is found from the list parsed by the first request. This request formats the available data and pushes to the Slack channel that I mentioned earlier.
What the fake app detector collection looks like
We created a generic collection which any Chrome app developer or publisher can use to detect any such counterfeit apps. It uses a few variables to set the terms to search for and a Slack webhook URL to push the final results to, all of which can be set using an environment in Postman. With those values set, each run of the collection will post potential fake candidate apps or extensions to the Slack channel linked to the provided webhook URL.
These are the properties that need to be set in the environment:
app_title: Your application title, same as in Chrome web-store.
app_developer: Developer name, same as in Chrome web-store.
app_keywords: A list of keywords that describes your app.
search_api_key: An API key for Google custom search engine.
cx: Google custom search engine ID.
slack_webhook_url: Slack Webhook URL.
To search Chrome apps, you need to create a custom search engine on Google. As we are only looking for Chrome apps for our use case, we can limit the search to the Chrome web-store. To know how to create your own custom search engine read here. Once you have created a custom search engine, you need to provide its API key in the
search_api_key environment variable and the custom search engine ID in the
cx environment vartiable.
With everything set, here is how the collection looks like in the Build view in Postman:
We have published this collection as a Template in Postman. You can load this collection in your Postman app by clicking the
New button ->
Templates -> Search for “Find Fake Chrome Apps”, and then use the template.
Alternatively, you can view the collection on its published documentation page.
Reporting and mitigating the risks
Not all the fake apps and extensions are malicious, yet there’s a risk involved in using them. Some of them are just applications similar to Postman and use the Postman brand and trademark to get more downloads. That’s all.
That’s why we need human intervention as well. The security team individually verifies and tests each one of the fake app for malicious intent.
If a malicious app is found then the security team takes immediate action and reports to Google. If it is a case of trademark violation, then we escalate it to our legal teams to take appropriate action.
We’ve got your back
At Postman, we ensure that our products meet the highest security and quality criteria. We ensure that nothing unwanted or malicious creeps in through the cracks. We keep watch on the wider ecosystem to ensure that you can develop and test APIs in peace.