Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Issue: Should not include private Stripe Key client side #9

Open
matthewarkin opened this issue Dec 15, 2015 · 5 comments
Open

Comments

@matthewarkin
Copy link

This plugin has the developer including their private Stripe API key client side, this means anyone could download an APK that uses this plugin, peer into it and see the api key in plain text.

What does that mean? At a minimum they can use one's Stripe account to test cards, refund someone's charges, cause callbacks, and other bad things.

This should be fixed ASAP

@praboud
Copy link

praboud commented Dec 15, 2015

This key disclosure is particularly insidious, because once you know your keys have been leaked, your story for how to roll them is quite bad. Rolling your keys is going to require all released copies of the app to be updated, which would be painful.

At a bare minimum, the fix here needs to be to move the part of the application which creates charges to a server-side component. The only interaction the app itself should have with stripe is to create card tokens.

The problem becomes that any app which relies on the currently presented interface (ie: trusting the client to do billing) is going to be susceptible to all sorts of hilarity. (To use the simplest possible example, you could just patch the app, and comment out the bit that bills the user. Admittedly, you'd need to jailbreak your iOS device / mod your android device to do so.) Unfortunately, I get the sense that there's no way of really fixing this without substantial rework of the applications that use this plugin.

@cybergibbons
Copy link

I have now come across two Cordova apps that have had the Stripe secret key embedded due to this plugin. I don't think it is made clear enough in the documentation - this should not be used for normal client applications.

@EddyVerbruggen
Copy link

Can you send a PR for the readme perhaps?

Btw, it's being worked on, I'll ask what the status is.

@cybergibbons
Copy link

Done.

@voiyt3d
Copy link

voiyt3d commented Feb 21, 2017

Hi!
Has this issue been resolved?
Is the plugin still not secure?
I need to use Stripe in a Cordova based app.
If this is not secure, could you please recommend what should I be using?
Greatly appreciate any help!
Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants