STRIPE Live Key Exposed:: Bounty: $1000
Hey Hunters,
I have found a sensitive stripe live token leaking on a private program.[let’s say redacted.com]
Initial Foothold
I collected all the subdomains using tools like Subfinder and Amass. After that, I filtered the live subdomains using httprobe. Found a subdomain admin.redacted.com which redirects the user/admin to google OAuth.
Your browser can execute JavaScript, which can, in turn, change the document; in this case, it redirects to google OAuth. After this, I used curl for admin.redacted.com to get the plain original output and nothing else.
Now I have a leaking stripe live token, but the token’s validity needs to be checked.
Exploiting Stripe Tokens
After checking the Keyhacks and the Stripe API Documentation. I was able to get a bunch of information, including:
Balance: It retrieves the current balance in the Stripe account.
curl https://api.stripe.com/v1/balance -u sk_live_<Secret-Key>:
Customers: It retrieves the customer’s data and tracks payments. Including the Customer’s Name, Email, IP used, and many more.
curl https://api.stripe.com/v1/customers -u sk_live_<Secret-Key>:
Charges: It retrieves charges and card information. One such card details are also attached below. Stripe only gives you the last four digits.
curl https://api.stripe.com/v1/charges -u sk_live_<Secret-Key>:
Files: Retrieves Files that the admin uploads. Files generally have invoices, disputes, events, balances, bank accounts, tokens, charges, and more.
curl https://api.stripe.com/v1/files -u sk_live_<Secret-Key>:
Impact and Timeline
Companies and other end users Sensitive Information Disclosure.
Reported — 21st August
Rewarded and Fixed — 30th August
Let's connect: https://www.linkedin.com/in/vipul-sahu-a7a420174/
![[GraphQL IDOR] Leaking credit card information of 1000s of users [External Audit]](https://miro.medium.com/v2/resize:fit:679/1*h6u_N2zKRCxXC5sFSSCI4w.jpeg)
