Can you please assist in how we overcome the error?
We used the following restricted key settings:
- All core resources: Write
- Checkout Sessions: only set to Write if you plan to use the Stripe Checkout feature; otherwise set to None.
- Webhook Endpoints: Read
- Radar: Write
- Everything else (including Stripe Connect) set to “None”
Hi @clickingclients
In light of the recent situation when Stripe API Keys were compromised…. resulting in over $70k in losses.
Are you referring to this podcast where the person was using the WooCommerce Stripe Gateway plugin? To be clear, that is not our plugin. https://webdesigneracademy.com/my-stripe-account-was-hacked-and-stripe-said-i-have-to-repay-70k/
When using live mode, Stripe requires that the merchant use Standard Connect. Stripe requires us to integrate that way and you will notice there isn’t an option to manually enter your API keys for live mode. The secret key generated during the connect process is not visible in your stripe.com dashboard. That limits the attack vectors that a potential hacker would have trying to access that key.
Keys generated via Connect can be rejected by removing the authorization.
Regarding the concept of restricting a secret key generated by Standard Connect, we have submitted a request to the Stripe engineers as we’ve never come across that question before. We need Stripe to comment on what’s possible on their end.
We’ll update this thread once Stripe gets back to us.
Kind Regards
@clickingclients after reading through the podcast transcripts, here is what I believe the hacker did, and why that same exploit is not possible using our plugin.
- The hacker compromised the merchant’s secret API key, either through the Stripe dashboard, where the secret key can be viewed, or by hacking the merchant’s eCommerce site.
- Once the hacker was in possession of the secret key, they made an API request to the
https://api.stripe.com/v1/accounts endpoint and setup a connected account.
- Once that fake connected account was created, the hacker initiated an instant payout to their connect account.
The reason that exploit would not be possible using our plugin is because we rely on a secret key that is generated via the Standard Connect process. That secret key is already restricted in what API endpoints it can reach. For example, if you tried to create a connected account using the secret key via endpoint https://api.stripe.com/v1/accounts you would receive the following error:
{
"error": {
"message": "Connect platforms cannot create new accounts on behalf of their connected accounts.",
"type": "invalid_request_error"
}
}
That means, if a hacker was able to compromise your secret by hacking into your WordPress site, they wouldn’t be able to transfer money out of your account.
Kind Regards
