Doragon-keys | Stripe Developers | Page 1

idle knot Oct 1, 2021, 8:51 AM

#

@lean crown the best thing would be to roll the key on Stripe's side

#

https://stripe.com/docs/keys#rolling-keys ; so even if someone gets it from an old version of the app, it won't let them do anything

API keys

Manage your API keys to authenticate requests with Stripe.

lean crown Oct 1, 2021, 8:55 AM

#

Thanks but basically these are not mines 🙂
So I can not do anything but either contact the dev teams (which 95% of the time are not responding) our reaching out to Stripe

#

Just before your reply, I also emailed info@stripe btw. I am not really fine with knowing anybody can access other user transaction details

idle knot Oct 1, 2021, 12:03 PM

#

oh you mean you found the API keys of someone else's Stripe account in an app you were using?

#

one thing to be clear of though, if the apps have a pk_live_xxx key in them, that is not so much a problem, it's a publishable key and can't be used to get transaction information or anything. But if they have a sk_live_xxx secret key, that is bad(and the apps would have been built entirely wrong as well). Not much you can do beyond attempting to let the businesses behind those apps know as you say. Stripe does do automated checks to look for our users leaking their keys(e.g we participate in https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning ) so we might already have found some of these.

#Doragon-keys