-
Notifications
You must be signed in to change notification settings - Fork 15
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security Issue: Should not include private Stripe Key client side #9
Comments
This key disclosure is particularly insidious, because once you know your keys have been leaked, your story for how to roll them is quite bad. Rolling your keys is going to require all released copies of the app to be updated, which would be painful. At a bare minimum, the fix here needs to be to move the part of the application which creates charges to a server-side component. The only interaction the app itself should have with stripe is to create card tokens. The problem becomes that any app which relies on the currently presented interface (ie: trusting the client to do billing) is going to be susceptible to all sorts of hilarity. (To use the simplest possible example, you could just patch the app, and comment out the bit that bills the user. Admittedly, you'd need to jailbreak your iOS device / mod your android device to do so.) Unfortunately, I get the sense that there's no way of really fixing this without substantial rework of the applications that use this plugin. |
I have now come across two Cordova apps that have had the Stripe secret key embedded due to this plugin. I don't think it is made clear enough in the documentation - this should not be used for normal client applications. |
Can you send a PR for the readme perhaps? Btw, it's being worked on, I'll ask what the status is. |
Done. |
Hi! |
This plugin has the developer including their private Stripe API key client side, this means anyone could download an APK that uses this plugin, peer into it and see the api key in plain text.
What does that mean? At a minimum they can use one's Stripe account to test cards, refund someone's charges, cause callbacks, and other bad things.
This should be fixed ASAP
The text was updated successfully, but these errors were encountered: