Supporting Restricted API Keys?

  • Resolved clickingclients

    (@clickingclients)


    1 year, 5 months ago

    In light of the recent situation when Stripe API Keys were compromised…. resulting in over $70k in losses.

    We are wondering if there is full support for Stripe Restricted API Keys with your plugin.

    We would still love to see documentation for your plugin on the minimum permission requirements for a Restricted API Key to work with Payment Plugins for Stripe WooCommerce.

    We’ve done some test in test mode and, although successful we received an error in Stripe:

    Only 1 error on stripe: 403 ERR GET /v1/account

    invalid_request_error The provided key ‘rk_test_*********************************************************************************************L’ does not have the required permissions for this endpoint on account ‘acct_1*************3’. Having the ‘rak_accounts_kyc_id_numbers_read’ permission would allow this request to continue.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter clickingclients

    (@clickingclients)

    Can you please assist in how we overcome the error?

    We used the following restricted key settings:

    • All core resources: Write
    • Checkout Sessions: only set to Write if you plan to use the Stripe Checkout feature; otherwise set to None.
    • Webhook Endpoints: Read
    • Radar: Write
    • Everything else (including Stripe Connect) set to “None”
    Plugin Author Payment Plugins

    (@mrclayton)

    Hi @clickingclients

    In light of the recent situation when Stripe API Keys were compromised…. resulting in over $70k in losses.

    Are you referring to this podcast where the person was using the WooCommerce Stripe Gateway plugin? To be clear, that is not our plugin. https://webdesigneracademy.com/my-stripe-account-was-hacked-and-stripe-said-i-have-to-repay-70k/

    When using live mode, Stripe requires that the merchant use Standard Connect. Stripe requires us to integrate that way and you will notice there isn’t an option to manually enter your API keys for live mode. The secret key generated during the connect process is not visible in your stripe.com dashboard. That limits the attack vectors that a potential hacker would have trying to access that key.

    Keys generated via Connect can be rejected by removing the authorization.

    Regarding the concept of restricting a secret key generated by Standard Connect, we have submitted a request to the Stripe engineers as we’ve never come across that question before. We need Stripe to comment on what’s possible on their end.

    We’ll update this thread once Stripe gets back to us.

    Kind Regards

    Plugin Author Payment Plugins

    (@mrclayton)

    @clickingclients after reading through the podcast transcripts, here is what I believe the hacker did, and why that same exploit is not possible using our plugin.

    1. The hacker compromised the merchant’s secret API key, either through the Stripe dashboard, where the secret key can be viewed, or by hacking the merchant’s eCommerce site.
    2. Once the hacker was in possession of the secret key, they made an API request to the https://api.stripe.com/v1/accounts endpoint and setup a connected account.
    3. Once that fake connected account was created, the hacker initiated an instant payout to their connect account.

    The reason that exploit would not be possible using our plugin is because we rely on a secret key that is generated via the Standard Connect process. That secret key is already restricted in what API endpoints it can reach. For example, if you tried to create a connected account using the secret key via endpoint https://api.stripe.com/v1/accounts you would receive the following error:

    {
    "error": {
        "message": "Connect platforms cannot create new accounts on behalf of their connected accounts.",
        "type": "invalid_request_error"
    }
}

    That means, if a hacker was able to compromise your secret by hacking into your WordPress site, they wouldn’t be able to transfer money out of your account.

    Kind Regards

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Supporting Restricted API Keys?’ is closed to new replies.