Hey Hunters,

I have found a sensitive stripe live token leaking on a private program.[let’s say redacted.com]

I collected all the subdomains using tools like Subfinder and Amass. After that, I filtered the live subdomains using httprobe. Found a subdomain admin.redacted.com which redirects the user/admin to google OAuth.

Your browser can execute JavaScript, which can, in turn, change the document; in this case, it redirects to google OAuth. After this, I used curl for admin.redacted.com to get the plain original output and nothing else.

Now I have a leaking stripe live token, but the token’s validity needs to be checked.

After checking the Keyhacks and the Stripe API Documentation. I was able to get a bunch of information, including:

Balance: It retrieves the current balance in the Stripe account.

curl https://api.stripe.com/v1/balance -u sk_live_<Secret-Key>:

Customers: It retrieves the customer’s data and tracks payments. Including the Customer’s Name, Email, IP used, and many more.

curl https://api.stripe.com/v1/customers -u sk_live_<Secret-Key>:

Charges: It retrieves charges and card information. One such card details are also attached below. Stripe only gives you the last four digits.

curl https://api.stripe.com/v1/charges -u sk_live_<Secret-Key>:

Files: Retrieves Files that the admin uploads. Files generally have invoices, disputes, events, balances, bank accounts, tokens, charges, and more.

curl https://api.stripe.com/v1/files -u sk_live_<Secret-Key>:

Companies and other end users Sensitive Information Disclosure.

Reported — 21st August

Rewarded and Fixed — 30th August

Let's connect: https://www.linkedin.com/in/vipul-sahu-a7a420174/