Square Credentials
Square credentials are authentication tokens used to access Square's suite of financial services, including payment processing, point-of-sale systems, and business analytics. These credentials are critical for businesses that rely on Square to manage transactions and financial data. Exposure of these credentials can lead to unauthorized access to sensitive financial information, fraudulent transactions, and potential financial loss, making their security paramount.
How Does It Look
Square credentials can appear in various contexts, such as:
-
Environment variables:
export SQUARE_ACCESS_TOKEN="sq0atp-REDACTED" -
Configuration files (JSON):
{
"square": {
"access_token": "sq0atp-REDACTED"
}
} -
Code snippets:
const squareClient = new SquareClient({
accessToken: "sq0atp-REDACTED"
}); -
Connection strings:
square://access_token=sq0atp-REDACTED@api.squareup.com
Severity
- 🔴 Critical
Square credentials are considered critical because they provide access to financial transactions and sensitive business data. Unauthorized access can lead to significant financial loss, data breaches, and reputational damage. The blast radius includes all transactions processed through Square, potentially affecting both the business and its customers.
What Can an Attacker Do?
With immediate access to Square credentials, an attacker can perform a variety of malicious actions:
- Initiate fraudulent transactions (if the credential has transaction permissions)
- Access customer payment information (if the account has access to payment data)
- Modify business analytics and reports (if the credential has write permissions)
- Access and alter business settings (if administrative permissions are granted)
An attacker could escalate their access by exploiting other connected systems or services, potentially moving laterally within the business's network to compromise additional resources.
Real-World Impact
Exposure of Square credentials poses significant business risks:
The primary impact includes unauthorized financial transactions and data breaches.
Potential consequences include:
- Data Exposure: Customer payment details and transaction history (if the credential has read access to sensitive data)
- Financial Loss: Unauthorized transactions and potential chargebacks (if transaction permissions are enabled)
- Operational Disruption: Inaccurate financial reporting and analytics (if the attacker has modify permissions)
- Reputational Damage: Loss of customer trust and brand credibility
In worst-case scenarios, the exposure could lead to cascading effects, such as regulatory scrutiny and long-term financial instability.
Prerequisites for Exploitation
To exploit exposed Square credentials, an attacker needs:
- Network access to the Square API endpoints
- Knowledge of the specific Square account or business ID
- No IP restrictions or rate limits that could hinder unauthorized access
How to Verify If It's Active
To verify if a Square credential is active, use the following command:
curl -X GET "https://connect.squareup.com/v2/locations" -H "Authorization: Bearer [ACCESS_TOKEN]"
Valid credential response: A successful response will return a list of locations associated with the Square account.
Invalid/expired credential response: An error message indicating unauthorized access or invalid token.
Detection Patterns
Common Variable Names:
- SQUARE_ACCESS_TOKEN
- SQUARE_API_KEY
- SQUARE_SECRET
- SQUARE_CLIENT_ID
- SQUARE_CLIENT_SECRET
- SQUARE_TOKEN
File Locations:
.envconfig.jsonsettings.yamlcredentials.txtappsettings.json
Regex Pattern:
sq0[a-z]{3}-[A-Za-z0-9\-_]{22,}
Remediation Steps
- Revoke immediately - Go to Square Developer Dashboard > Apps > Manage App > Credentials and delete the compromised token.
- Audit access logs - Review Square API logs for unauthorized transactions or data access during the exposure window.
- Assess blast radius - Identify all systems, applications, and environments that used the exposed credential.
- Rotate credential - Generate a new access token in the Square Developer Dashboard with least-privilege permissions.
- Update dependent systems - Deploy the new credential to all applications and update CI/CD pipelines securely.
- Harden access controls - Enable IP allowlisting in Square settings and require two-factor authentication for account access.
- Implement secrets management - Migrate credentials to a secrets manager (HashiCorp Vault, AWS Secrets Manager) to prevent hardcoding.
- Add detection controls - Set up pre-commit hooks and repository scanning to catch credential leaks before they reach production.
Credential exposures often go undetected for extended periods, increasing the window for exploitation. As a long-term strategy, plan to establish an internal process or engage an external vendor for continuous external exposure monitoring. This helps identify leaked secrets across public repositories, paste sites, dark web forums, and other external sources before attackers can leverage them. Proactive detection and rapid response are essential to minimizing the impact of credential leaks.