Security Leaks in plugin allow fraudulent transactions

  • This plugin has been reported to stripe, the author claims ” Most of the attacks are using API keys rather than using a payment form.” but this is not true, I was getting about 20 or more transactions per day, sometimes 10 in a 1 hour period.

    Every transaction was fraudulent, donations in the mount of $1.24, $1.20, 2.70, 2.43 etc. Obviously the hacker had stolen credit multiple credit cards and was randomly targeting wordpress sites with this plugin.

    Didn’t think about it because we had a give $1 $2 campaign going on at the time, encouraging donors every little bit helped.

    The day Stripe started contacting us, threatening to close the account, and the disputes rising, and fraudulent flagged transactions, I reached out to support, only to get the blame game on Stripe Api keys.

    The only way they can read those secret keys is through a security hole in the plugin, and to confirm, I did not change the Api Keys I changed the plugin, I tried 5 other plugins, all stopped these fraudulent transactions, and I decided to go with another plugin. Since then no more fraudulent transactions.

    Now the problem is every transaction, is being disputed and the banks are charging $15.xx fees to each transaction, I have hundreds of them, if only 200 of them are disputed and won, I will lose $3000.00 and go bankrupt

    The author is not taking any responsibility. I have alerted Stripe of the problem, so they can remove this plugin from their recommendation. Also reporting to wordpress. Please do not even try this plugin. If anyone wants proof, I can send you screenshots of everything.

Viewing 1 replies (of 1 total)
  • Plugin Author Spencer Finnell

    (@spencerfinnell)

    Hello @obertscloud,

    There are two types of Stripe API keys:

    – Publishable
    – Secret

    The Publishable key is meant to be publicly available, and is used alongside Stripe’s libraries to perform a limited set of actions. This key can be used to create Card tokens, as allowed by Stripe. Having this key exposed is not a security risk.

    From Stripe:

    API keys are meant solely to identify your account with Stripe, they aren’t secret. In other words, they can safely be published in places like your Stripe.js JavaScript code, or in an Android or iPhone app.

    WP Simple Pay uses the Secret key (safely stored in your WordPress database) to create what is called “Checkout Session”. This Session is returned to your web browser and the Publishable key is used to redirect users to Stripe.com where the payment can be completed.

    Users are unable to directly interact with a payment form until this point. Unfortunately we cannot add further reCAPTCHA methods to this form because it is not something that is hosted on your WordPress website. It is up to Stripe’s anti-fraud measures to detect this fraudulent activity. Stripe offers “Radar” to help combat this. Stripe also offers Chargeback Protection when using Stripe Checkout. Radar was recommended by one of our team members when you first reported a problem.

    I did not change the Api Keys I changed the plugin, I tried 5 other plugins, all stopped these fraudulent transactions, and I decided to go with another plugin

    Switching plugins would have changed the API keys (both Publishable and Secret) being used since WP Simple Pay uses Stripe Connect to automatically connect to your Stripe Account. Regenerating API keys was initially recommended by one of our team members when you first reported a problem.

Viewing 1 replies (of 1 total)
  • The topic ‘Security Leaks in plugin allow fraudulent transactions’ is closed to new replies.