Skip to main content

Stripe API Key

Stripe API keys are critical credentials used to authenticate requests to the Stripe API, which is a payment processing platform. These keys allow applications to interact with Stripe services, such as processing payments, managing subscriptions, and handling customer data. Exposure of a Stripe API key can lead to unauthorized access to sensitive financial information and the ability to perform transactions, posing a significant security risk.

How Does It Look

Stripe API keys can appear in various contexts, such as:

  • Environment variables:

    export STRIPE_API_KEY="sk_live_********************"

  • Configuration files (JSON):

    {
      "stripeApiKey": "sk_live_********************"
    }

  • Code snippets:

    stripe.api_key = "sk_live_********************"

  • Connection strings:

    stripe://sk_live_********************@api.stripe.com

Severity

  • 🔴 Critical

Stripe API keys provide access to a wide range of financial operations, including processing payments and accessing customer data. The blast radius of an exposed key is extensive, potentially affecting all transactions and customer interactions associated with the account.

What Can an Attacker Do?

With immediate access to a Stripe API key, an attacker can perform unauthorized actions on the Stripe account.

Key actions an attacker can perform:

  • Process fraudulent transactions (if the key has payment processing permissions)
  • Access sensitive customer data (if the key has read access to customer information)
  • Issue refunds or chargebacks (if the key has write permissions for transactions)
  • Modify subscription plans (if the key has permissions to manage subscriptions)

An attacker could escalate their access by exploiting other vulnerabilities in the connected systems or using the financial data to perform social engineering attacks.

Real-World Impact

Exposure of a Stripe API key poses significant business risks, including financial and reputational damage.

Potential consequences include:

  • Data Exposure: Customer payment details and personal information (if the credential has read access to sensitive data)
  • Financial Loss: Unauthorized transactions and refunds (if billing/resource creation is permitted)
  • Operational Disruption: Interruption of payment processing services (if the attacker has delete/modify permissions)
  • Reputational Damage: Loss of customer trust and brand credibility

In the worst-case scenario, the exposure could lead to cascading effects, such as regulatory scrutiny and legal challenges due to compromised customer data.

Prerequisites for Exploitation

  • Network access requirements: Internet access to communicate with Stripe's API endpoints
  • Additional context needed: Knowledge of the account's API endpoints and potential customer data structures
  • Rate limits or restrictions: Stripe's API rate limits may slow down exploitation but won't prevent it

How to Verify If It's Active

To verify if a Stripe API key is active, use the following command:

curl -u [API_KEY]: https://api.stripe.com/v1/charges

Valid credential response: A successful response will return a list of charges or an empty list if no charges exist.

Invalid/expired credential response: An error message indicating authentication failure or invalid API key.

Detection Patterns

Common Variable Names:

  • STRIPE_API_KEY
  • stripeApiKey
  • STRIPE_SECRET_KEY
  • stripeSecret
  • STRIPE_KEY
  • stripeKey

File Locations:

  • .env
  • config.json
  • settings.yaml
  • appsettings.json

Regex Pattern:

sk_live_[0-9a-zA-Z]{24}

Remediation Steps

  1. Revoke immediately - Go to Stripe Dashboard > Developers > API keys and delete the compromised key.
  2. Audit access logs - Review Stripe logs for unauthorized transactions or data access during the exposure window.
  3. Assess blast radius - Identify all systems, applications, and environments that used the exposed credential.
  4. Rotate credential - Generate a new API key in the Stripe Dashboard with least-privilege permissions.
  5. Update dependent systems - Deploy the new credential to all applications and update CI/CD pipelines securely.
  6. Harden access controls - Enable IP allowlisting in Stripe and require two-factor authentication for account access.
  7. Implement secrets management - Migrate credentials to a secrets manager (HashiCorp Vault, AWS Secrets Manager) to prevent hardcoding.
  8. Add detection controls - Set up pre-commit hooks and repository scanning to catch credential leaks before they reach production.

Credential exposures often go undetected for extended periods, increasing the window for exploitation. As a long-term strategy, plan to establish an internal process or engage an external vendor for continuous external exposure monitoring. This helps identify leaked secrets across public repositories, paste sites, dark web forums, and other external sources before attackers can leverage them. Proactive detection and rapid response are essential to minimizing the impact of credential leaks.

References