JDPT | Stripe Developers | Page 1

strong daggerBOT Mar 6, 2023, 10:38 AM

#

elfin dust Mar 6, 2023, 10:38 AM

#

Hi there!

#

How can I help?

storm tundra Mar 6, 2023, 10:38 AM

#

Cheers, can we take this to private message please?

elfin dust Mar 6, 2023, 10:39 AM

#

If you need a private conversation, then you need to contact us here: https://support.stripe.com/contact. Here on Discord we only do public support.

storm tundra Mar 6, 2023, 10:40 AM

#

Alright, I'll keep it anonymous

#

acct_1BxcrvDhbIdY6uVV This account has literally millions of requests hitting it, but from my investigations it's nothing to do with us (as it's used as a standard connected account for our platform)

#

I believe they may have created an API key on this account and they have somehow leaked it, rather than some security issue on our end (by using our API key and issuing api calls on behalf of their account)

#

But I wanted to get confirmation from you before I get back to them with suggestions on what to do next

elfin dust Mar 6, 2023, 10:45 AM

#

This account has literally millions of requests hitting it
What types of request? Can you share specific examples?

#

Woops, here's the correct link: https://stripe.com/docs/disputes/prevention/card-testing

storm tundra Mar 6, 2023, 10:46 AM

#

Yeah we're not testing with this account

#

It's payments that are constantly getting created on the account

#

payment intents

#

Again, if that was the case, we would've created the customer

#

But you can see from the customer creation event that it was an API call directly through their account rather than from our platform

#

pi_3MibWTDhbIdY6uVV4XExbkek

#

As an example

elfin dust Mar 6, 2023, 10:49 AM

#

PaymentIntent can only be created with a secret key. So if the paltform itself didn't create this, it means they secret key leaked. In this case they need to quickly roll their secret key https://stripe.com/docs/keys#rolling-keys

storm tundra Mar 6, 2023, 10:50 AM

#

evt_1MiJEHDhbIdY6uVVi3MIocOh

#

Example of one of these random customers getting created with their API key, (not through us)

#

Just want to confirm this is the case, as the customer support respective that got in touch with them was suggesting it was a security problem our side, which I see no evidence of...

elfin dust Mar 6, 2023, 10:55 AM

#

Creating PaymentIntent and customers require a secret key. So did the standard account made these requests? If not, then they need to roll their secret key.

storm tundra Mar 6, 2023, 10:58 AM

#

Not that I can see through the dashboard, but I thought you might be able to confirm this detail by checking out the internal logs for this event? evt_1MiJEDDhbIdY6uVVjiBSdaAV

#

I want to be sure that the information I give them is accurate, and that they have been mislead by the Stripe customer support representative, which would obviously not look good if it turned out not to the case

elfin dust Mar 6, 2023, 11:00 AM

#

this event: evt_1MiJEDDhbIdY6uVVjiBSdaAV comes from this request req_LRIOYRXeZjyS0r which was made with the secret key of the account. So I don't see anything wrong about it.

storm tundra Mar 6, 2023, 11:03 AM

#

Well as far as I'm aware they didn't create it from their side either, so is it safe to assume they somehow leaked their own API key and they need to roll a new one?

elfin dust Mar 6, 2023, 11:09 AM

#

Yes that's exactly what I said earlier. If they didn't make these requests, it means their secret API key has leaked. So they need to roll it asap.

#JDPT