Skip to main content

Razorpay Key ID

Razorpay Key ID is a credential used to authenticate and authorize access to Razorpay's payment processing services. This credential is essential for integrating Razorpay's payment gateway into applications, enabling transactions, and managing payment-related operations. Exposure of a Razorpay Key ID can lead to unauthorized access to payment functionalities, potentially resulting in financial loss and data breaches.

How Does It Look

Razorpay Key IDs can appear in various contexts, such as:

  • Environment variables:

    export RAZORPAY_KEY_ID="rzp_test_1234567890abcdef"

  • Configuration files (JSON, YAML, .env):

    {
      "razorpay": {
        "key_id": "rzp_test_1234567890abcdef"
      }
    }

  • Code snippets:

    razorpay_client = razorpay.Client(auth=("rzp_test_1234567890abcdef", "your_secret"))

  • Connection strings:

    razorpay://rzp_test_1234567890abcdef:your_secret@api.razorpay.com

Severity

  • 🟠 High

The Razorpay Key ID provides access to payment processing capabilities, including transaction initiation and management. If exposed, it can lead to unauthorized transactions and access to sensitive financial data. The blast radius includes potential financial loss and data exposure, especially if the associated secret is also compromised.

What Can an Attacker Do?

With immediate access to a Razorpay Key ID, an attacker can exploit payment functionalities:

  • Initiate unauthorized transactions (if the secret is also compromised)
  • Access transaction history (if read permissions are granted)
  • Modify payment settings (if write access is enabled)
  • Extract sensitive customer data (if the account has data access permissions)

An attacker could potentially escalate their access by exploiting other vulnerabilities in the application or infrastructure, leading to broader system compromise.

Real-World Impact

Exposure of a Razorpay Key ID poses significant business risks:

The primary impact includes unauthorized financial transactions and data breaches.

Potential consequences include:

  • Data Exposure: Customer payment details and transaction history (if the credential has read access to sensitive data)
  • Financial Loss: Unauthorized transactions and fraudulent charges (if billing/resource creation is permitted)
  • Operational Disruption: Payment processing failures and service downtime (if the attacker modifies payment settings)
  • Reputational Damage: Loss of customer trust and brand credibility

In worst-case scenarios, cascading effects could lead to regulatory scrutiny and legal challenges due to compromised financial data.

Prerequisites for Exploitation

An attacker needs the following besides the credential itself:

  • Network access: Ability to reach Razorpay's API endpoints
  • Additional context: Knowledge of associated secrets or API endpoints
  • Rate limits: Awareness of any transaction limits or restrictions imposed by Razorpay

How to Verify If It's Active

To verify if a Razorpay Key ID is active, use the following command:

curl -u [KEY_ID]:[SECRET] https://api.razorpay.com/v1/payments

Valid credential response: A list of payments with transaction details.

Invalid/expired credential response: An error message indicating authentication failure or invalid credentials.

Detection Patterns

Common Variable Names:

  • RAZORPAY_KEY_ID
  • RAZORPAY_API_KEY
  • RAZORPAY_KEY
  • RAZORPAY_ID
  • RZP_KEY_ID
  • RZP_API_KEY

File Locations:

  • .env
  • config.json
  • settings.yaml
  • credentials.py
  • app.config

Regex Pattern:

rzp_[a-zA-Z0-9]{10,32}

Remediation Steps

  1. Revoke immediately - Go to Razorpay Dashboard > API Keys and delete the compromised key.
  2. Audit access logs - Review Razorpay logs for unauthorized transactions or API calls during the exposure window.
  3. Assess blast radius - Identify all systems, applications, and environments that used the exposed credential.
  4. Rotate credential - Generate a new API key in Razorpay Dashboard with least-privilege permissions.
  5. Update dependent systems - Deploy the new credential to all applications and update CI/CD pipelines securely.
  6. Harden access controls - Enable IP allowlisting in Razorpay and require two-factor authentication for dashboard access.
  7. Implement secrets management - Migrate credentials to a secrets manager (HashiCorp Vault, AWS Secrets Manager) to prevent hardcoding.
  8. Add detection controls - Set up pre-commit hooks and repository scanning to catch credential leaks before they reach production.

Credential exposures often go undetected for extended periods, increasing the window for exploitation. As a long-term strategy, plan to establish an internal process or engage an external vendor for continuous external exposure monitoring. This helps identify leaked secrets across public repositories, paste sites, dark web forums, and other external sources before attackers can leverage them. Proactive detection and rapid response are essential to minimizing the impact of credential leaks.

References