search

postmanlabs / postman-app-support

Postman is an API platform for building and using APIs. Postman simplifies each step of the API lifecycle and streamlines collaboration so you can create better APIs—faster.
https://www.postman.com
5.86k stars 841 forks source link

Postman Connecting to Known TOR Exit Node #13216

Closed krebznet closed 1 month ago

krebznet commented 1 month ago

Is there an existing issue for this?

Describe the Issue

Hey everyone,

I was using Wireshark to monitor my network and noticed something unexpected—my Postman process on macOS is connecting to a known TOR exit node (IP: 162.247.74.216). I’m wondering if there’s any legitimate reason for Postman to be making this connection? Has anyone encountered this before, or could it be something I should look into further?

Also I noticed this creepy URL in the Postman logs is this legit?

[auth][info]["Authentication~will-navigate:","https://erisedstraehruoytubecafruoytonwohsi.chromiumapp.org"]

The reversed URL appears to say: “is not your face but your desire” when split. From Harry Potter, guys a lot of this does not add up to me. Could this be a bug or could this be a larger issue?

Thanks!

Steps To Reproduce

Launch Wireshark Launch Postman Observe Postman reaching TOR exit node IP addresses.

Screenshots or Videos

No response

Operating System

macOS

Postman Version

11.17.1

Postman Platform

Postman App

User Account Type

Signed In User

Additional Context?

No response

y-mehta commented 1 month ago

Hi @krebznet,

erisedstraehruoytubecafruoytonwohsi.chromiumapp.org is a dummy URL used internally for handling OAuth transfer, and it was added intentionally. We've analyzed the network communication happening from the Postman app and don't see any traces of it reaching out to a known TOR IP.

162.247.243.29 - This IP is part of a CIDR range owned by NewRelic 162.247.240.0/22. You can see the list at https://docs.newrelic.com/docs/new-relic-solutions/get-started/networks/#ingest-blocks.

We've responded to your support ticket, Could you please share your PCAP file for analysis via the same ticket?

krebznet commented 1 month ago

Thanks, yes that is going to a NewRelic site, sadly i overwrote the capture, i was troubleshooting a kubernetes cluster and while on VPN it was Postman on my mac it was identified by looking at the source IP address and then doing sudo lsof -i : on my machine - this really was Postman connecting to that TOR known site, since I don't have the PCAP file there is probably not much you guys can do, thank you for explaining the chromium part. I uninstalled Postman it honestly was reaching out to this IP, perhaps something on my machine attached itself i have no idea but know you likely won't beable to reproduce. it.

y-mehta commented 1 month ago

Thanks for getting back @krebznet. We've verified the executables from our side, and they're safe to use. We've not observed any communication with the TOR network during analysis. Considering that the PCAP file is unavailable, I'll close this issue. If you observe the same behavior again in the future, please feel free to reach out to security@postman.com.