WePay API Token

ID

wepay_token

Severity

high

Vendor

WePay

Family

API Token

Description

WePay is an online payment service provider which provides their payment solution, through its APIs, to platform businesses such as crowdfunding sites, marketplaces and small business software companies. It also offers partners fraud and risk protection.

WePay uses tokens for programmatic calls to the API.

Security

Any leakage of the Token is critical.

Any fraudulent use of an account could be detected through the service notifications called Instant Payment Notifications (IPN).

Examples

The following example shows a hardcoded WePay token in a properties script:

WEPAY_ACCESS_TOKEN2=PRODUCTION_9672fc394c1470b2d9dce2340122f32177b5eb03a9e9de990626273cc0f80b76

Mitigation / Fix

  1. Remove the sensitive data from the source code or committed configuration file. Avoid hardcoded secrets, and instead place the keys in a 'secrets vault'.

  2. Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s). Navigate to your WePay User Settings page, locate the Token there and revoke it.

  1. If under a git repository, you may remove unwanted files from the repository history using tools like git filter-repo or BFG Repo-Cleaner. You may follow the procedure listed here for GitHub.

You should consider any sensitive data in commits with secrets as compromised.

Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories.

  1. Enable Instant Payment Notifications (IPN) so you can be notified when WePay detects a fraudulent use of your account.

Reference

https://developer.wepay.com/api/