Reputation: 503
Stripe Connect account id, customer id security issues
I am just wondering if it is okay to make Stripe account id (for Connect) and customer id visible on browser. Is there any way that a person other than its holder misuses by obtaining the ids? (for example, moving earned money to their account or change the person's information as a method of attacking)
Upvotes: 4
Views: 2722
Answers (3)
Reputation: 123
I consider stripe connected account id similar to an email address. The email address needs to be publicly known in order for people to email you. If they want to read your emails they need your login (eg. password).
Upvotes: 0
Reputation: 1771
I think it's perfectly fine to expose stripe accountIds to the client. Like others have said, these ids are useless to an attacker unless the attacker gets your secret key.
Other answers argue that exposed ids + compromised secret make it easier for an attacker. That's true, but if the attacker has your secret, you're screwed anyway. It takes 1 GET request, to list all accountIds.
Upvotes: 7
Reputation: 4378
All sensitive information coming from the account id requires your Stripe Secret Key (or that of the account, for Connect accounts). That being said, if access to those keys is compromised, having the account ids readily available just makes it that much easier for an attacker.
With public keys, I'm not sure you can even add a card directly to a user. Just create the card tokens and what not.
Upvotes: 1
Related Questions
- Stripe Connect | Account id safe to expose?
- Stripe customer integration
- Stripe Connect - share customers without payment method
- is it safe to expose customer ID or credit card ID from STRIPE to the public?
- Stripe API accounts are restricted
- Stripe Connected Account
- Stripe bank account id
- Stripe Connect Charge - Must authenticate as a connected account to be able to use customer parameter
- Is it dangerous to store in my database stripe customers ids?
- Stripe Account Card Number