I will, but I’m 85% sure they already know – but they made a business decision to make one OAuth flow for all “platforms” for a consistent & simpler UX (at the expense of extra security risk, which they’ve accepted).

Edit: wait, did you mean email stripe or email the pentest company that authored the article of common oauth vulns?

https://blog.doyensec.com/2025/01/30/oauth-common-vulnerabilities.html

I haven’t seen it. Thanks for sharing!

afaik, it doesn’t cover this use-case (where the Resource Server [Stripe] just uses the wrong flow – forcing us to expose our access keys to a third party).

But, curious, it lists 0 attacks for the OAuth Flow that Stripe should be using here = Client Credentials Flow.

Edit: ahhhhh, this paragraph is elucidating

The Authorization Code Flow is one of the most widely used OAuth flows in web applications. Unlike the Implicit Flow, which requests the Access Token directly to the Authorization Server, the Authorization Code Flow introduces an intermediary step. In this process, the User Agent first retrieves an Authorization Code, which the application then exchanges, along with the Client Credentials, for an Access Token. This additional step ensures that only the Client Application has access to the Access Token, preventing the User Agent from ever seeing it.

I confirmed that Stripe is using the Authorization Code Flow

curl https://connect.stripe.com/oauth/token \
-u sk_test_MgvkTWK1jRG3olSRx9B7Mmxo: \
-d “code”=”ac_123456789” \
-d “grant_type”=”authorization_code”

• source: https://docs.stripe.com/connect/oauth-reference#post-token-request

…but it does appear to be using the wrong OAuth Flow type. They give the token to us in the end. There’s no need to expose it to a third party.

So I guess “choosing the wrong flow type” would be a valid addition to the “attacks” section under Authorization Code Flow

No, I’m not forced to use Stripe.

I’m looking at mollie now, but I don’t really know of any better alternatives to Stripe. Got a recommendation?

Anything that requires a PayPal account is not an option.

Edit: Mollie won’t let us create an account unless we push >50.000 EUR/mo. Yeah, we’re a small business. We’re wayyy under that limit. So no Mollie :(

Thanks. It’s a good guess, but that’s not the case.

The developers confirmed that the only place the OAuth access tokens are stored is on my server. Of course, the dev’s server (which sees the [non-expiring!] access keys for >800,000 Stripe Accounts!) would be a ripe target for someone malicious. But it’s not designed to store the keys there. All subsequent connections to the Stripe API are done directly between my server and Stripe’s server (with no intermediary “platform”). The token is only exposed to the dev server when OAuth flow is first established. Then the dev server (effectively a MITM, by design) sends it down to my server for storing and future use.

PCI compliance on my server isn’t an issue because all sensitive payment information is tokenized.

The reason this is done is because Stripe doesn’t allow the redirect during the OAuth flow to be dynamic. It must be a predefined value that’s hard-coded into the app.

For security purposes, Stripe redirects a user only to a predefined URI.

• https://docs.stripe.com/connect/oauth-reference#redirect-uri

That’s why Stripe forces you to expose your access tokens to the developer’s servers.

I’d still appreciate if someone with more experience with OAuth than me knows if this is common. Seems like a very bad design decision to require users to transmit their bearer tokens through the developer’s servers.

Update: It looks like you’re describing their “Platform” option. In 2025, there’s 3 “authentication types” for Stripe Apps, as documented here

1. Platform
2. OAuth 2.0
3. Restricted API Keys

In this case, I’m talking about OAuth 2.0 (Stripe Connect), not “Platform”

I have been, but Stripe support hasn’t been helpful.

Update: one of the plugin authors finally explained it well:

It’s because Stripe doesn’t allow the redirect during the OAuth flow to be dynamic. It must be a predefined value that’s hard-coded into the app.

For security purposes, Stripe redirects a user only to a predefined URI.

• https://docs.stripe.com/connect/oauth-reference#redirect-uri

That’s why Stripe forces you to expose your access tokens to the developer’s servers.

I’d still appreciate if someone with more experience with OAuth than me knows if this is common. Seems like a very bad design decision to require users to transmit their bearer tokens through the developer’s servers.

Can you elaborate? Any idea why Stripe would choose this design?

I think Stripe generally has good security practices. But I just can’t understand this design choice. There has to be a reason…

Please read the question. I am not the developer; I can’t change to keycloak.

Hi, Michael Altfield here. I was the sysadmin for OSE from 2017-2020.

Everything OSE does is transparent, so you can just check the OSE websites to see what everyone is currently working-on. OSE contributors log their hours in a worklog called “OSE Dev”. There you can quickly see who is working on what.

• https://osedev.org/graphs

The above graphs show 4 contributors in the past ~10 weeks (one is me; we had some issues with the apache config recently). There’s no direct link, but you can then check the wiki to see people’s work logs (just search for the person’s name and Log):

• https://wiki.opensourceecology.org/wiki/Marcin_Log
• https://wiki.opensourceecology.org/wiki/Catarina_Log
• https://wiki.opensourceecology.org/wiki/Alexa_Log
• https://wiki.opensourceecology.org/wiki/Maltfield_Log

I also like to look at the MediaWiki “Recent Changes” page to peak at what people are up-to as well:

• https://wiki.opensourceecology.org/index.php?title=Special:RecentChanges&limit=500&days=30

I told Marcin about Lemmy back in June 2023. Another OSE contributor even created an OSE community on the slrpnk.net instance, but it appears to have been abandoned. I’ll email him about this thread to see if he’ll bite and publish updates in this community since there’s clearly interest :)

Also, shameless plug: I started an org that’s very similar in spirit to OSE called Eco-Libre, with a focus on projects to sustainably enfranchise human rights in smaller communities. We’re currently accepting volunteers ;)

• https://eco-libre.org/join

You definitely can do that, but if you’re afraid that you might stand-up and forget you’re using it, then you probably shouldn’t.

It’s probably enough to just use the default trigger that locks your screen. Or, once you get comfortable with it, set it to shut down your computer. Most people don’t need to shred their FDE keys, unless they’re facing torture.

In fact, we make it difficult to use “destructive” triggers (like the LUKS Header Shredder that wipes the FDE header) and intentionally do not include the ability to switch to it in the app. To use it, you have to do a lot of extra work. So most users don’t have this issue.

Why? It defaults to just locking your screen. So you stand-up, the magnetic breakaway cable separates, and then you just have to type your password…

If you’re the type of person that would forget to lock your computer before standing up and walking away, then it’s exactly what you’d want.

It has a magnetic (de)coupler, which allows it to break away at any angle if your laptop is physically snatched away from you.

Some of our users actually use the BusKill cable with a Yubikey:

• https://humandecoded.io/qubes-os-yubikey-buskill/

If that’s not clear, I highly recommend watching this 2-minute explainer video

• https://www.buskill.in/#demo

I build open-source USB Dead Man Switches and the accompanying (also free) software

Watch the BusKill Explainer Video for more info youtube.com/v/qPwyoD_cQR4

You attach the kill cable to your body and if the connection between you to your computer is severed, then your device will lock, shutdown, or shred its encryption keys. It’s designed to protect high-risk users’ data. Data could include private keys (eg theft of cryptocurrency assets), contacts of correspondence (eg sources of a journalist – such as whistleblowers), etc.

I’ve paid myself nothing so-far. The price just barely breaks-even for the business. There’s one-time costs like a few grand for a CNC’d injection mold and assembly jig, but also certification fees, product boxes, cardstock paper for documentation inserts, printing fees, artist commissions, packaging materials, warehousing, shipping, other logistics fees, etc.

All of this is explained in-detail in “The Finances” section here.

I prefer open-source hardware to be designed using common off-the-shelf items that are easily found everywhere in the world. Unfortunately, the one vendor of a USB-A magnetic breakaway couplers decided to EOL their product shortly after I published a guide on how to build your own BusKill cable. After we published, they all got sold-out, and we had to go to manufacturers for a custom component.

Prices would drop dramatically if we could do production runs (and actually sell) >10,000 units at a time. Currently we only sell a few cables per month. If you want to help, please tell all your security-conscious friends about BusKill :)

Unfortunately, that’s what it costs to make open-source hardware at small-scale.

There’s a cheaper $59 cable available or you could build your own.

Yeah, once they document how to use it, I hope they also publish an PSA telling all users to disable their existing keys and migrate to using Restricted API Keys

I consider “support” for this as having it documented. It’s not a boolean “on” / “off”. To “support Restricted API Keys” would mean that they document the minimum set of permissions required (which is a long list of properties, each set to “none” or “read” or “write”).

Indeed, I’m very happy to see they’ve changed it from ‘low-priority’ to ‘high-priority’. Hopefully they’ll update the documentation with the permissions needed for Restricted API Keys soon.

The problem is that creating a “Restricted API Key” means you have to tick “read” or “write” for dozens of different API “resource types”.

So if WooCommerce doesn’t document which resource types are needed, then “Restricted API Keys” are basically not supported because even security-conscious users cannot know how to produce a key that is fully functional yet satisfies the PoLP.

I’m curious if any security engineers have covered this incident.

Stripe does support generating Restricted API Keys. With “Restricted API Keys” you’re able to mint a key that can live on your e-commerce website that has permission to accept payments but does not have permission to modify your merchant account’s payout methods (eg adding a new “Instant Payments” debit card to the merchant account as this attacker did).

Unfortunately, I’ve asked WooCommerce to support Restricted API Keys 1 year ago, but they marked it as “low priority”

• https://github.com/woocommerce/woocommerce-gateway-stripe/issues/634#issuecomment-1168340952

…I would appreciate if more people would jump-in on ^ that ticket and scold WooCommerce so that they add support for Restricted API Keys ;)

I’m curious if any security engineers have covered this incident.

Stripe does support generating Restricted API Keys. With “Restricted API Keys” you’re able to mint a key that can live on your e-commerce website that has permission to accept payments but does not have permission to modify your merchant account’s payout methods (eg adding a new “Instant Payments” debit card to the merchant account as this attacker did).

Unfortunately, I’ve asked WooCommerce to support Restricted API Keys 1 year ago, but they marked it as “low priority”

• https://github.com/woocommerce/woocommerce-gateway-stripe/issues/634#issuecomment-1168340952

…I would appreciate if more people would jump-in on ^ that ticket and scold WooCommerce so that they add support for Restricted API Keys ;)