macintoshpie-checkout-ratelimits | Stripe Developers | Page 1

stable roseBOT Mar 8, 2023, 3:43 PM

#

outer sonnet Mar 8, 2023, 3:43 PM

#

We only use hosted checkout right now by the way, we're not sure how they're getting the keys

sonic swallow Mar 8, 2023, 3:44 PM

#

Oh gotcha, with hosted Checkout that is a bit different. We have this guide but I think most of the recommendations relate to a more custom integration. https://stripe.com/docs/disputes/prevention/card-testing

#

Let me consult my colleagues on this one and get back to you

sonic swallow Mar 8, 2023, 4:21 PM

#

Hey @outer sonnet apologies for the delay, still looking in to this. Can you send me your account ID (acct_1234) so that we can look in to the API calls on your account?

north marsh Mar 8, 2023, 4:23 PM

#

@outer sonnet I'm taking over as the server is quite busy for my colleagues already. If you can provide more actionable details I can dig into what happened

#

macintoshpie-checkout-ratelimits

#

outer sonnet Mar 8, 2023, 4:25 PM

#

Howdy, our account number is acct_15YpNsJAmnYVOvfn

Here you can see where we got spammed by someone automating card testing which resulted us getting rate limited around 3:30am MT

Screen_Shot_2023-03-08_at_9.23.36_AM.png

north marsh Mar 8, 2023, 4:26 PM

#

Can you clarify why you think that means someone "stole your Publishable key" though?

outer sonnet Mar 8, 2023, 4:27 PM

#

They did not "steal" the public key since it's available in hosted checkout. I assume they sniffed the network tab, copied the key, then started using it to make API requests themselves

north marsh Mar 8, 2023, 4:33 PM

#

sure but what tells you that? That's the part I don't understand at all here. To call /v1/payment_pages/:id/confirm you don't just need a Publishable API key, you also need access to the server to create the Checkout page in the first place.

#

In the meantime I tweaked the settings on your account so that you can have twice as many requests per second/in parallel to avoid this issue moving forward.

outer sonnet Mar 8, 2023, 4:40 PM

#

We don't use stripejs currently, and I see the origin is stripejs here in one of the abuse requests
https://dashboard.stripe.com/logs/req_JgncypjCxB65gl

north marsh Mar 8, 2023, 4:41 PM

#

I will flag internally though, the problem is not really the Publishable key itself, it's more that they tried to confirm one specific Checkout Session over 1.5k times for example which we should block

outer sonnet Mar 8, 2023, 4:44 PM

#

I will flag internally though
That'd be great, thanks! Is there a ticket I can track?

north marsh Mar 8, 2023, 4:45 PM

#

no, you should write to support in that case to discuss it

#

@outer sonnet anything else I can help with?

#macintoshpie-checkout-ratelimits