Comments

maltfield, 11 months ago to cybersecurity in Stripe API Key: $70k Stolen from CCs via merchant to debit card "Instant Payments"

I'm curious if any security engineers have covered this incident.

Stripe does support generating Restricted API Keys. With "Restricted API Keys" you're able to mint a key that can live on your e-commerce website that has permission to accept payments but does not have permission to modify your merchant account's payout methods (eg adding a new "Instant Payments" debit card to the merchant account as this attacker did).

Unfortunately, I've asked WooCommerce to support Restricted API Keys 1 year ago, but they marked it as "low priority"

• https://github.com/woocommerce/woocommerce-gateway-stripe/issues/634#issuecomment-1168340952

...I would appreciate if more people would jump-in on ^ that ticket and scold WooCommerce so that they add support for Restricted API Keys ;)

maltfield, 11 months ago to securitynews in Stripe API Key: $70k Stolen from CCs via merchant to debit card "Instant Payments"

I’m curious if any security engineers have covered this incident.

Stripe does support generating Restricted API Keys. With “Restricted API Keys” you’re able to mint a key that can live on your e-commerce website that has permission to accept payments but does not have permission to modify your merchant account’s payout methods (eg adding a new “Instant Payments” debit card to the merchant account as this attacker did).

Unfortunately, I’ve asked WooCommerce to support Restricted API Keys 1 year ago, but they marked it as “low priority”

• github.com/woocommerce/…/634#issuecomment-1168340…

…I would appreciate if more people would jump-in on ^ that ticket and scold WooCommerce so that they add support for Restricted API Keys ;)