#prat

Hi there,

What's the problem that you are facing?

Hey Jack, I found a bug where I am are able to use Stripe services that typically require authorization (Ex: Issuing and Treasury APIs) and alter the JSON code examples in the live Stripe documentation page. (My friends and I thought we were altering the documentation page locally but realized we were making changes to the live page once we noticed objects created by one person were showing up on the documentation page of another person.)

I sent you more details privately

as a direct message

Please send the information in this chat directly

It's OK to share the resource IDs here, only stripe engineer can access the resources

I dont have any resource ID's but please take a look at the example displayed response object for the card holder object at this link: https://stripe.com/docs/api/issuing/cardholders/object

We were able to make alterations to the live page and these changes seem to be persisted.

it may seem fine but please refresh the page a couple times and you will notice that the objects being displayed contain some personal information and or harmless changes to values.

I'll defer to Jack for specifics but Stripe documentation is specific to your account (see in the bottom left you should see your org id). It is interactive and attempts to show examples from your test data, so it is likely that the edits you're making are to your test account, and not anyone elses

But I am able to make API requests to the Issuing API which I dont have access to

And I checked with people in different states, they can see these changes too

oh okay never mind me then, not the simple issue I thought it might be flies away

Hi @unique basin the card holder object that you saw in API reference is just an example, it's not an actual card holder object in your account.

but regardless of whether its active or not I was able to edit your live webpage, my name and other links and stuff show up on your live page