Cybersecurity

cross-posted from: https://midwest.social/post/26331167

This is an utter failure of oversight in governance. And likely a misappropriation of government funds.

What a colossally shortsighted decision.

Why does Stripe require OAuth tokens to pass through a third party server?

Can someone who understands OAuth better than me explain to me why Stripe REQUIRES that their OAuth Access Keys get shared with a third party?

I've tried RTFM, but my biggest hangup is that the OAuth docs appear describe a very different situation than mine. They usually describe a user agent (web browser) as the client. And they talk about "your users" as if I have a bunch of users that I'm going to be fetching access keys for.

Nah, this is server <--> server. I have a server. Stripe has a server. I am one user. All I need is ONE API key for ONE account. But I'm forced to use OAuth. It doesn't seem appropriate, and it's especially concerning that the "flow" requires the (non-expiring!) Access Token to be shared with a third party server. Why?!?

I recently learned that Stripe has been pushing OAuth (branded as "Stripe Connect") to its integration apps as the "more secure" solution, compared to Restricted API Keys. In fact, we've found that most integrations we've encountered that use Stripe Connect are less secure than using Restricted API Keys because the (private!) tokens are shared with a third party!

I've been using Stripe to handle credit card payments on my e-commerce website for years. Recently, we updated our wordpress e-commerce website and all its plugins. And then we discovered that all credit card payments were broken because our Stripe Payment Gateway plugin stopped allowing use of Restricted API Keys. Instead they only support "Stripe Connect" (which, afaict, is a marketing term for OAuth). This change forced us to do a security audit to make sure that the new authentication method met our org's security requirements. What we found was shocking.

So far we've started auditing two woocommerce plugins for Stripe, and both have admitted that the OAuth tokens are shared with their (the developer's) servers!

One of them is a "Stripe Verified Partner", and they told us that they're contractually obligated by Stripe to use only "Stripe Connect" (OAuth) -- they are not allowed to use good-'ol API Keys.

They also told us that Stripe REQUIRED them to include them in the OAuth flow, such that their servers are given our (very secret!) OAuth Access Keys!

The benefit of normal API Keys, of course, is that they're more secure than this OAuth setup for (at least) two reasons:

1. I generate the API keys myself, and I can restrict the scope of the keys permissions

2. I store the key myself on my own server. It's never transmitted-to nor stored-on any third party servers. Only my server and Stripe's servers ever see it.

Can someone shine a light onto this darkpattern? I understand that standardization is good. OAuth Refresh Keys add security (this service doesn't use them). But why-oh-why would you FORCE OAuth flows that share the (non-expiring) Access Tokens with a third party? And why would you claim that's more secure than good-ol-API-keys?

Does OAuth somehow not support server<-->server flows? Or is it a library issue?

What am I missing?

Davey Winder provides details of the LabHost bust by British police in partnership with Microsoft and others - and explains LabHost's modus operandi

In the last blog we talked about what everyone assumed was the most boring topic that you could talk about, keeping your dependencies up to date. But I think I’ve got it topped this time, this time we are going to be talking about that number one thing that all developers love spending their time working on... Logging.

The differences between application security and developer security are simple enough in principle, but go significantly further as soon as you get past the surface. Many people in the cyber security community seem to place a great emphasis on the effectiveness of application security but in many cases, will completely negate the secondary portion of this which is securing the individual who is responsible for introducing security bugs to the software. I'm not saying that to be harsh, mistakes are a simple part of life and without the proper tooling and education it is very easy to continue to produce mistakes especially when greeted with constricted timelines and consistent budget crunch.

It is common for companies to neglect financing in cyber security for a quick short term gain. And at the same time the laws are created such that an offensive hacker would be the criminal. By turning the law around the blame would be on the company for building insecure systems, just like it is right now companies get problems if they would create unsafe products for consumers.

What do you think would happen if laws would change in such a way, that gaining unauthorized access would become legal? Note that I've intentionally excluded permission to share sensitive information. Would love to read your responses and thoughts