STRIPE API-Key Disclosure to Bounty

#$ubh@nk@r
3 min readJun 9, 2024

--

Intro : Hello Hackers!!👋 what’s up. Hope you are all Fine. Today I will discuss about STRIPE Live API-KEY Disclosure that gives me a Easy Bounty. Here I will discuss all the Steps → how to exploit it and how to increase the Impact. So let’s jump into it.

Recon :

First I collect all the Domains from a Target and then start My Recon. Basically I open all the Website and try to Enumerate hidden Files and API-Keys. Basically I use this Extension below.

While hunting a Subdomain I found in one of the Javascript File it leaks the STRIPE live API Key [Using the Extension]. Here it is below.

And this is the API Key.

stripe:{apiKey:"sk_live_apiKey"}

Exploit it :

I use KeyHacks Github Repo to Exploit it.

For increasing the Impact I start Exploiting the API Key. First I ran this command below. And I got all Internal Payment Details.

curl https://api.stripe.com/v1/balance -u 'apiKey'

Then I try to list all Possible Customers. I got all User’s ID and their Emails also.

curl https://api.stripe.com/v1/customers -u 'apiKey'

I can also List the Internal Sensitive Files.

curl https://api.stripe.com/v1/files -u 'apiKey'

That’s how I exploited this Vulnerability and Reported it to the Security Team. And after someday they accept it with Medium Impact and eligible for Bounty.

And that’s it for today. Hope you learn something new. Stay tuned for my next Article.

THANKS FOR READING!😄

If you like it don’t forget to Like it and Follow me for more Articles.

Happy Hacking~

--

--