PayPal OAuth2 Keys
ID |
paypal_oauth |
Severity |
high |
Vendor |
PayPal |
Family |
API Token |
Description
PayPal is a financial technology company operating an online payments system for most e-commerce websites and mobile applications.
Paypal uses access keys for programmatic calls to the API. An access key is a pair (ID, Secret Key) where ID (like a7re37VjvZaXknragMl35g2MtphjY19y1v5R4bTpN2Rkl99DvG) acts as the username and Secret Key (like z7re37VjvZaXknragMl35g2MtphjY19y1v5R4bTpN2Rkl99DvG) acts as a password.
Security
Any leakage of the Secret Access Key is critical. The Access Key ID is less sensitive, but it should not be made public.
Examples
The following example shows a hardcoded PayPal access key (id and secret) in a properties script:
PAYPAL_ID=a7re37VjvZaXknragMl35g2MtphjY19y1v5R4bTpN2Rkl99DvG PAYPAL_SECRET=z7re37VjvZaXknragMl35g2MtphjY19y1v5R4bTpN2Rkl99DvG
Mitigation / Fix
-
Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s). Go to the User Dashboard, navigate to
My Apps & Credentialsand then clickGenerate new secretbutton. -
Remove the sensitive data from the source code or committed configuration file. Avoid hardcoded secrets, and instead place the keys in a 'secrets vault'.
|
You should consider any sensitive data in commits with secrets as compromised. Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories. |