A concerning query

Millions of businesses use Stripe’s payment processing platform everyday to handle sensitive credit card transactions. But what could happen if a Stripe API key is leaked (or stolen)? 

Truffle Security reviewed Stripe’s API documentation and identified some of the risks associated with an exposed API key:

• Leaked Personally Identifiable Information (PII)

• Financial Loss from Unauthorized Promo Codes

• Financial Loss from Unauthorized Product Price Changes

• Online Shop Defacement

• Financial Loss from Unauthorized Wire Transfers

In this post, we walk through 5 different attack paths threat actors with access to a valid Stripe secret API key could take.

A couple caveats: (1) These are not vulnerabilities in Stripe. This post outlines ways that legitimate Stripe API functionality could be misused by a threat actor with access to a valid (read: stolen) API key. (2) Stripe has excellent fraud detection and provides customers with practical tools to secure API keys. For more details on how to secure your Stripe account, see the end of this post.

Attack paths

SCENARIO 1 – THE PII LEAK

Payment processors store client data, much like a CRM, for their users. Information such as a payer’s email address, address, and phone number can all be easily queried using Stripe’s API. The /v1/customers endpoint allows authenticated users to list all customers, including some PII.

Screenshot of API Response to the /v1/customers endpoint

The curl command below requests detailed payer information for 100 payers in Stripe:

curl -G https://api.stripe.com/v1/customers -u sk_test_4eC39HqLyjWDarjtT1zdp7dc -d limit=100

Given the sensitivity of PII that Stripe stores, a threat actor with sufficient access to a victim’s Stripe account could force that organization to disclose the data breach to regulatory agencies and their customers (and incur the steep related costs).

In addition to regulatory pressure, criminals with access to a payer list in Stripe could conduct a number of additional malicious actions:

• Extort the payers (especially if the payer bought sensitive or taboo goods/services from the victim organization)

• Execute a business email compromise (invoice fraud) campaign against the payers

• Leak / sell the payers list to competitors or anyone else on the dark web

Importantly, the payers’ credit cards aren’t stored / accessible in plaintext on Stripe, so that information would not have been at risk.

SCENARIO 2 – THE MAGIC PROMO CODE

Developers can create coupons and promo codes using the Stripe API. Depending on their configuration, these discounts could be applied to many different types of purchases, including subscriptions, invoices, checkout sessions, quotes, and so on. 

Screenshot of a Stripe promo code field

When creating a coupon, the developer configures a percent_off value as well as a duration value. For example, using the cURL command below, a developer could create a 90% off coupon with a duration of forever.

curl https://api.stripe.com/v1/coupons -u sk_test_4eC39HqLyjWDarjtT1zdp7dc -d percent_off="90" -d duration

The response returns the new coupon’s ID, which can then be used to create a promo code that doesn’t expire and is available for use on every checkout:

curl https://api.stripe.com/v1/promotion_codes -u sk_test_your_api_key  -d coupon

If gone unnoticed, the financial damage caused by a malicious promo code could be significant, depending on the transaction volume.

Sophisticated threat actors could take steps to hide their malicious actions by creating many promo codes, all with short durations, or change the percent_off value for a legitimate coupon for only the duration of their checkout, and then switch it back.

SCENARIO 3 – THE $1 SNEAKER

Promo codes are not the only way to affect price during checkout; anyone with an API key with appropriate permissions could change the price of products.

For example, given the price ID for a product (which is easily found), an attacker could update the unit_amount of a price to a cheaper value (like $1):

curl https://api.stripe.com/v1/prices/price_1OGKct2eZvKYlo2CZYHXOom9  -u sk_test_4eC39HqLyjWDarjtT1zdp7dc  -d unit_amount=1

Similar to the promo code attack, the financial impact of price changes depends on the transaction volume.

SCENARIO 4 – THE HACKED WEBSITE

Since Stripe is a “batteries-included” payment processor that is often used to set up an entire online shop, it also includes features to store product information. Users can upload names, images and descriptions of their products, which are meant to be displayed to the customer.

Screenshot of Stripe docs showing ability to modify product descriptions and other attributes

A threat actor with an appropriately-permissioned API key could modify product information to deface the victim’s website. This attack only works when the victim’s website renders product information directly from Stripe.

If an organization replicates the Stripe data in their own database (e.g. this tutorial on managing Stripe as a source of truth), an attacker could potentially inject arbitrary data into the victim’s website or database tables. A previously found vulnerability on a WordPress Stripe plugin allows injection of arbitrary content when billing details are pulled from Stripe and unsanitized before use.

Depending on the way the maliciously injected data is processed on the backend (and then frontend), security vulnerabilities such as XSS (Cross Site Scripting), SQLi (SQL injection) and SSTI (Server-Side template injection) could trigger. Particularly severe vulnerabilities could lead to data leakage or even remote code execution.

SCENARIO 5 – THE PAYOUT

Of course, not all threat actors are creative; some just want a wire transfer directly to their bank account. Stripe includes fraud detection in their platform, but with millions of transactions a day, any net has holes.

Payouts are created via a POST request to /v1/payouts :

Screenshot of Stripe’s Payout Documentation

The destination of the payout is usually a ba_* (bank account) object, as payouts are typically used for refunding actual currency to a customer, or sending funds to your own bank account. With access to the API, threat actors can modify customer details and related bank account information to make it look like payouts are sent to legitimate destinations.

The monetary impact of this type of attack would depend on how much is transferred and how fast it’s caught. If large payouts are detected quickly by the shop owner or Stripe, the transaction could be quickly disputed with the receiving banks. However, if the money is quickly moved between multiple banks and/or converted into cryptocurrency, then the likelihood of recovery is low. 

Although not specific to Stripe, this type of attack played out on a grand scale several years ago when North Korean hackers targeted the SWIFT money transfer system in an attempt to steal a billion dollars from Bangladesh Bank. While initially successful, they only got away with $81 million dollars, since the Federal Reserve Bank detected multiple suspicious transactions and caught them in the act.

What can I do to improve API key security for a Stripe account?

We recommend reviewing Stripe’s official documentation on enhancing account security and API key security. Specifically, we suggest readers consider:

1. Implementing Multi-Factor Authentication on their account 

2. Limiting the IP Addresses that can send API requests 

3. Creating restricted API keys with limited permissions (wherever possible)

Also, we encourage readers to review Stripe’s extensive tutorials about fraud and disputes, which cover Stripe’s fraud detection software Radar, best practices for customer communication and more.

If a Stripe API key is leaked, we recommend following our guide for rotating Stripe secret keys. The most important step is revoking the leaked key as quickly as possible.