Summary by 6mile
Retool is a low-code platform that allows its customers to build custom applications quickly and easily. When a customer created a Retool application, the platform will automatically create a Postgres database for that application which then stores the data and user information for the app. These databases are typically AWS RDS Postgres databases. I found an API endpoint (/api/resources) in Retool applications that was exposing database credentials in its JSON response body. These database credentials allow attackers to log into the applications Postgres database as root where they had admin write level privileges and could effectively do anything they wanted. Once I alerted Retool to this problem, they fixed the API endpoint and it no longer is exposing database credentials.