joetheone-source-IDs | Stripe Developers | Page 1

real drift Mar 30, 2022, 3:50 PM

#

Hello! I don't know this off the top of my head, but let me see what I can find - give me a few minutes

#

Quick clarification - is your tester saying that it's possible for a third party to guess already existing valid source IDs, or are they saying that someone may just guess IDs or a similar format, but do not necessarilly exist?

hardy sequoia Mar 30, 2022, 4:18 PM

#

Yes they are saying you could guess an already valid source id

real drift Mar 30, 2022, 4:28 PM

#

Just thinking out loud, even if they could guess a valid source ID, they wouldn't be able to do anything with it without having your secret key

hardy sequoia Mar 30, 2022, 4:29 PM

#

Yeah, the issue is that say a user could guess the source I’d of a valid card, they could use our API to save it to their own account and then use it as if they had stored that card themselves

#

We’re moving to the paymenintents api soon, but for now I have to deal with this

real drift Mar 30, 2022, 4:42 PM

#

Can you give me more context on why your API allows your users to specify a random source ID to be attached to the customer?

#joetheone-source-IDs