I'm curious if any security engineers have covered this incident.
Stripe does support generating Restricted API Keys. With "Restricted API Keys" you're able to mint a key that can live on your e-commerce website that has permission to accept payments but does not have permission to modify your merchant account's payout methods (eg adding a new "Instant Payments" debit card to the merchant account as this attacker did).
Unfortunately, I've asked WooCommerce to support Restricted API Keys 1 year ago, but they marked it as "low priority"
I’m curious if any security engineers have covered this incident.
Stripe does support generating Restricted API Keys. With “Restricted API Keys” you’re able to mint a key that can live on your e-commerce website that has permission to accept payments but does not have permission to modify your merchant account’s payout methods (eg adding a new “Instant Payments” debit card to the merchant account as this attacker did).
Unfortunately, I’ve asked WooCommerce to support Restricted API Keys 1 year ago, but they marked it as “low priority”