Laravel debug mode could expose your API keys

Our deliverability team stays up to date on email spam trends. It sometimes feels like wack-a-mole trying to stay one step ahead of them. One trend that we're currently following is bad actors using an automated tool that looks for live Laravel sites in debug mode.

Laravel debug mode is a way for developers to troubleshoot issues with a site during local development. Letting a developer see what tokens or passwords they're using is a great way to speed up development. Debug mode itself isn’t a vulnerability with Postmark or Laravel—many frameworks have this type of feature. However, this sensitive data is available in plain text, and can become very dangerous when debug mode is left on for a live site. That means a scammer can discover this information and can use it, too. Using cheap and simple automated tools, bad actors can quickly check if a site has debug mode on and extract sensitive information from the site.

If a scammer finds an exposed API Token for Postmark through this mode, they can then easily gain unauthorized use of the Postmark account to send phishing emails. We’ve already identified some Postmark senders exploited in this way. When we discover an account sending spam messages, we must pause sending on the account until the issue is resolved. This is done to help protect the site's domain reputation as well as Postmark's sending reputation.

We encourage all Postmark customers that use Laravel to make sure that debug mode is turned off for live sites (APP_DEBUG=false). If you find debug mode is set to true, we ask you to set it to false before rotating your Postmark API Token(s). You'll want to do the same for other exposed API Tokens and site passwords as an extra level of security.