maltfield

@maltfield@monero.town

I make and sell BusKill laptop kill cords. Monero is accepted.

michaelaltfield.net

This profile is from a federated server and may be incomplete. Browse more on the original instance.

maltfield,

This can be avoided by enabling CAPTCHA

Sorry, this is misinformation. Graphical CAPTCHAS can be trivially defeated by bots, as the lemmy devs have said.

If you want to slow the bots down, a hashcash implementation like mCAPTCHA would actually work and the lemmy devs already said they'd accept a PR for this.

Stripe API Key: $70k Stolen from CCs via merchant to debit card "Instant Payments" (webdesigneracademy.com)

From the moment I began my freelance web design business back in 2014, I was collecting payments via Stripe and happily paying their processing fees for the ability to grow my business from just a desire for more freedom to running a company that employs women and supports them to create their own freedom and financial...

maltfield,

I'm curious if any security engineers have covered this incident.

Stripe does support generating Restricted API Keys. With "Restricted API Keys" you're able to mint a key that can live on your e-commerce website that has permission to accept payments but does not have permission to modify your merchant account's payout methods (eg adding a new "Instant Payments" debit card to the merchant account as this attacker did).

Unfortunately, I've asked WooCommerce to support Restricted API Keys 1 year ago, but they marked it as "low priority"

...I would appreciate if more people would jump-in on ^ that ticket and scold WooCommerce so that they add support for Restricted API Keys ;)

maltfield,

I'm curious if any security engineers have covered this incident.

Stripe does support generating Restricted API Keys. With "Restricted API Keys" you're able to mint a key that can live on your e-commerce website that has permission to accept payments but does not have permission to modify your merchant account's payout methods (eg adding a new "Instant Payments" debit card to the merchant account as this attacker did).

Unfortunately, I've asked WooCommerce to support Restricted API Keys 1 year ago, but they marked it as "low priority"

...I would appreciate if more people would jump-in on ^ that ticket and scold WooCommerce so that they add support for Restricted API Keys ;)

maltfield,

Congratulations! You just blocked all emails from the users's subscribed mailing lists and support ticket systems. And they're pissed.

maltfield,

I'm curious if any security engineers have covered this incident.

Stripe does support generating Restricted API Keys. With "Restricted API Keys" you're able to mint a key that can live on your e-commerce website that has permission to accept payments but does not have permission to modify your merchant account's payout methods (eg adding a new "Instant Payments" debit card to the merchant account as this attacker did).

Unfortunately, I've asked WooCommerce to support Restricted API Keys 1 year ago, but they marked it as "low priority"

...I would appreciate if more people would jump-in on ^ that ticket and scold WooCommerce so that they add support for Restricted API Keys ;)

maltfield,

I consider "support" for this as having it documented. It's not a boolean "on" / "off". To "support Restricted API Keys" would mean that they document the minimum set of permissions required (which is a long list of properties, each set to "none" or "read" or "write").

Indeed, I'm very happy to see they've changed it from 'low-priority' to 'high-priority'. Hopefully they'll update the documentation with the permissions needed for Restricted API Keys soon.

maltfield,

Yeah, once they document how to use it, I hope they also publish an PSA telling all users to disable their existing keys and migrate to using Restricted API Keys

maltfield,

I’m curious if any security engineers have covered this incident.

Stripe does support generating Restricted API Keys. With “Restricted API Keys” you’re able to mint a key that can live on your e-commerce website that has permission to accept payments but does not have permission to modify your merchant account’s payout methods (eg adding a new “Instant Payments” debit card to the merchant account as this attacker did).

Unfortunately, I’ve asked WooCommerce to support Restricted API Keys 1 year ago, but they marked it as “low priority”

…I would appreciate if more people would jump-in on ^ that ticket and scold WooCommerce so that they add support for Restricted API Keys ;)

  • All
  • Subscribed
  • Moderated
  • Favorites
  • JUstTest
  • mdbf
  • ngwrru68w68
  • tester
  • magazineikmin
  • thenastyranch
  • rosin
  • khanakhh
  • InstantRegret
  • Youngstown
  • slotface
  • Durango
  • kavyap
  • DreamBathrooms
  • megavids
  • tacticalgear
  • osvaldo12
  • normalnudes
  • cubers
  • cisconetworking
  • everett
  • GTA5RPClips
  • ethstaker
  • Leos
  • provamag3
  • anitta
  • modclub
  • lostlight
  • All magazines
    •