As I dug deeper, I stumbled upon a gold mine of sensitive data: hardcoded secrets that were being used to process payments through Stripe. The secrets in question were none other than the Stripe API publishable key and secret key themselves. These keys were stored in the front-end of the application, which made them easy pickings for anyone with a malicious intent.
Finding the bug
You see that? Yea! That’s the secret API key!! Stripe has a very convenient API that can be used to check the balance of this account, or transfer the money to a different account. Hello bitcoin! (kidding)
As you can imagine, I was ecstatic to receive the $25,000 bug bounty from the company’s security team. It was an incredible feeling to know that my efforts had helped secure the platform and prevent any malicious actors from exploiting this critical vulnerability.
What was even more surprising was the company’s reaction to my discovery. They were so appreciative of my ethical approach that they even joked about being happy I didn’t take any money out of the Stripe account! This goes to show how important it is to have ethical hackers working towards improving the security of digital platforms.
Subscribe to our blog
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.