
Stripe Security Advisory: API Keys in JavaScript Allow Full Account Takeover - not_a_doctor
I was doing some code searches with nerdydata.com to find which websites use Stripe&#x27;s Javascript integration.<p>By chance I searched for Stripe Secret API Keys (using this regular expression sk_live_\w+) and found that there a few sites exposing keys in publicly available source code.<p>These secret API Keys let anyone access a full list of the business&#x27;s customers&#x27; information, including names, emails, credit card types&#x2F;last4, and other related banking information.<p>Always consider exposed keys as compromised. I wonder how long they have been live and public.<p>https:&#x2F;&#x2F;nerdydata.com&#x2F;search?regex=true&amp;terms[]=sk_live_%5Cw%2B<p>https:&#x2F;&#x2F;nerdydata.com&#x2F;search?regex=true&amp;table=jsfiles&amp;terms[]=sk_live_%5Cw%2B<p>https:&#x2F;&#x2F;nerdydata.com&#x2F;search?regex=true&amp;table=deepweb&amp;terms[]=sk_live_%5Cw%2B
======
not_a_doctor
Sources:

[https://nerdydata.com/search?regex=true&terms[]=sk_live_%5Cw...](https://nerdydata.com/search?regex=true&terms\[\]=sk_live_%5Cw%2B)

[https://nerdydata.com/search?regex=true&table=jsfiles&terms[...](https://nerdydata.com/search?regex=true&table=jsfiles&terms\[\]=sk_live_%5Cw%2B)

[https://nerdydata.com/search?regex=true&table=deepweb&terms[...](https://nerdydata.com/search?regex=true&table=deepweb&terms\[\]=sk_live_%5Cw%2B)

[https://support.stripe.com/questions/what-happens-if-my-
api-...](https://support.stripe.com/questions/what-happens-if-my-api-key-is-
compromised)

------
brianwawok
I very much like how Stripe does their keys. If the key was just a GUID, would
not be able to do this search.

Hopefully they do something like troll google and github for sk_live and auto
disable those keys ;)

