WingNews logo WingNews GitHub [2]
top | item 12138193

Stripe Security Advisory: API Keys in JavaScript Allow Full Account Takeover

11 points| not_a_doctor | 9 years ago | reply

I was doing some code searches with nerdydata.com to find which websites use Stripe's Javascript integration.

By chance I searched for Stripe Secret API Keys (using this regular expression sk_live_\w+) and found that there a few sites exposing keys in publicly available source code.

These secret API Keys let anyone access a full list of the business's customers' information, including names, emails, credit card types/last4, and other related banking information.

Always consider exposed keys as compromised. I wonder how long they have been live and public.

https://nerdydata.com/search?regex=true&terms[]=sk_live_%5Cw%2B

https://nerdydata.com/search?regex=true&table=jsfiles&terms[]=sk_live_%5Cw%2B

https://nerdydata.com/search?regex=true&table=deepweb&terms[]=sk_live_%5Cw%2B

2 comments

order
[+] brianwawok|9 years ago|reply
I very much like how Stripe does their keys. If the key was just a GUID, would not be able to do this search.

Hopefully they do something like troll google and github for sk_live and auto disable those keys ;)