Security Advisory: Stripe Secret Key Exposure in Documentation
| Field | Value |
|---|---|
| Advisory ID | NXD-2023-001 |
| Published | 2023-03-05 |
| Severity | Critical (CVSS 3.1 Base Score: 9.1) |
| CWE | CWE-798 — Use of Hard-coded Credentials |
| Affected Product | Nexudus Developer Documentation / Stripe Integration |
| Status | Disclosed |
Summary
A live Stripe secret API key (sk_live_…) was inadvertently included in API request examples on the public Nexudus developer documentation site. This key provided full access to a Stripe account.
Vulnerability Details
What happened?
The Nexudus REST API documentation athttps://developers.nexudus.com/reference/get-invoices included a live Stripe secret key in example API requests. Stripe secret keys (prefixed sk_live_) grant full programmatic access to the associated Stripe account without additional authentication.
Root Cause
A live production credential was used in documentation examples instead of a placeholder or test-mode key (sk_test_). This key was committed to the documentation source and rendered publicly on the developer portal.
Impact
With the exposed key, an attacker could:1. Enumerate Connected Accounts & Contacts
List all connected Stripe accounts, exposing business names, email addresses, and account metadata.2. Create Unauthorized Charges
Initiate charges against any connected account’s stored payment methods (credit/debit cards), billing arbitrary amounts to Nexudus clients.3. Issue Unauthorized Refunds
Refund previous legitimate charges, causing financial loss and accounting discrepancies for affected businesses.4. Access Payout History
View full payout history including amounts, dates, and bank account details — exposing confidential financial data.5. Additional Operations
Access to balance transactions, disputes, customer records, subscriptions, and other Stripe API resources associated with the account.Impact Assessment
| Category | Impact |
|---|---|
| Confidentiality | Full exposure of client email addresses, business names, payment methods (partial card numbers), and payout history |
| Integrity | Unauthorized charges and refunds could be issued against any connected account |
| Availability | Mass refunds or disputes could disrupt payment processing for all connected businesses |
| Financial | Direct financial loss through unauthorized charges or refunds across the entire client base |
Exploitation Prerequisites
- Authentication Required: No — the key was publicly accessible in documentation.
- Technical Skill: Minimal — standard Stripe API calls with the exposed key.
- Tools Required: Any HTTP client (curl, Postman, or the Stripe CLI).
Remediation
- Remove the exposed key from all documentation pages and source repositories.
- Rotate the compromised key — generate new Stripe API keys and update all services using the old credentials.
- Audit Stripe logs — review Stripe’s request logs for any unauthorized usage during the exposure window.
- Use test keys in documentation — ensure only
sk_test_keys or clearly-marked placeholders (e.g.,sk_live_YOUR_KEY_HERE) appear in public examples. - Implement secret scanning — enable automated secret detection in CI/CD pipelines and documentation publishing workflows to prevent future credential leaks.
Timeline
| Date | Event |
|---|---|
| 2023-03-01 | Stripe live key included in developer documentation |
| 2023-03-08 | Vulnerability reported to Nexudus |
| 2023-03-08 | Key rotated and removed from documentation |
| 2026-06-08 | Public disclosure |