Stripe Secret keys

ID

stripe_secret

Severity

high

Vendor

Stripe

Family

API Token

Description

Stripe is a payment services provider for e-commerce websites and mobile applications.

Stripe secret key is used to authenticate the API requests.

Security

The leakage of the secret is critical since, by default, the secret keys can be used to perform any API request without restriction.

Suspicious activity could be detected by reviewing the API key associated requests logs.

Examples

The following example shows a hardcoded Stripe secret in a python script:

import stripe

charge = stripe.Charge.retrieve(
  "ch_3LopUh2eZvKYlo2C1u1V6SvY",
  api_key="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"
)

Mitigation / Fix

  1. Remove the Secret from the source code or committed configuration file. Avoid hardcoded secrets, and instead place the keys in a 'secrets vault'.

  2. Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s). Go to Manage API keys, select the three dots to the side of your compromised API key and revoke it.

  1. If under a git repository, you may remove unwanted files from the repository history using tools like git filter-repo or BFG Repo-Cleaner. You may follow the procedure listed here for GitHub.

You should consider any sensitive data in commits with secrets as compromised.

Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories.

Reference

https://stripe.com/docs/api