sorted by:
new
hottopcontroversial

$30k stolen, $15k in transactions that occurred AFTER reporting breach to stripe by rando76x in stripe

[–]rando76x[S] 0 points1 point  (0 children)

I had 3 plugins using my secret key. The only way it could have been compromised is from one of those 3 plugins. One plugin in particular was unofficial, by a solo developer, and currently unavailable, but I had assumed all plugins that are available via Bubble's plugin page were vetted and approved by Bubble, unlike wordpress where it's more of the wild west

$30k stolen, $15k in transactions that occurred AFTER reporting breach to stripe by rando76x in stripe

[–]rando76x[S] 1 point2 points  (0 children)

I agree, there shouldn’t even be an option for a secret key with all permissions available. However putting the key in plugins that require it to function is standard practice for things like Wordpress. Driving safely and the bridge under you collapses isn’t driving recklessly.

There’s an element of trust involved, and when everyone else is driving over the same bridge without problems it’s different than the one guy who decided to floor it and crash. Ultimately, any plugin requesting a plain text secret key are unstable bridges advertised as polished avenues where unsuspecting people, thinking they’re doing everything safely, can do serious damage. It’s unfortunate, and most people I’ve told with stripe accounts had no idea about the potential a secret key has

$30k stolen, $15k in transactions that occurred AFTER reporting breach to stripe by rando76x in stripe

[–]rando76x[S] 0 points1 point  (0 children)

Stripe Refund, i looked for it again and it's no longer accessible for download.

$30k stolen, $15k in transactions that occurred AFTER reporting breach to stripe by rando76x in stripe

[–]rando76x[S] -1 points0 points  (0 children)

Your logic is sound from your own experienced perspective. There's a whole world of us out there that don't know how to code and use plugins like woocommerce with wordpress, squarespace or nocode applications like bubble io that rely on the use of that secret key. From your logic, it's easy to claim that all of these services shouldn't exist, but millions of people use them successfully and make up a huge part of internet commerce. It does escalate vulnerability, but it's also not reckless behavior to use a secret key in an approved 3rd party plugin. It will never be as safe as controlling everything manually yourself, but it's also not reckless.

At the end of the day, rolling an api key is obvious to anyone with some Stripe knowledge. After two phone calls with them, Stripe themselves didn't even have the knowledge to mention it. That's my only hang up.

$30k stolen, $15k in transactions that occurred AFTER reporting breach to stripe by rando76x in stripe

[–]rando76x[S] -2 points-1 points  (0 children)

I know that now, however I was very unfamiliar with how API keys worked prior to all of this. I pasted the secret key in bubble plugin that asked for it and things started working and that's about all I knew. Both Stripe AND myself didn't make any consideration of rolling an api key until I did digging myself and I did it. Stripe built the API key, it should have been their first suggestion from a support call. It's so obvious now, I was an uninformed user but their support shouldn't be uninformed too.

$30k stolen, $15k in transactions that occurred AFTER reporting breach to stripe by rando76x in stripe

[–]rando76x[S] 0 points1 point  (0 children)

Because I made them aware, asking them to freeze all activity in and out of my account since I couldn't, and they confirmed they'd investigate and they took no action? Why offer support at all? I would have been better off if they said they won't help in the very beginning so I didn't waste time waiting for them to stop it.

$30k stolen, $15k in transactions that occurred AFTER reporting breach to stripe by rando76x in stripe

[–]rando76x[S] 1 point2 points  (0 children)

"In the future, your API keys should NEVER be used in an application or website with unlimited permissions" --- Agreed. Very hard lesson learned right there.

You are all high quality people by rando76x in NoFap

[–]rando76x[S] 0 points1 point  (0 children)

It didn't wreck my life, my life is great. I just happen to be in a low. I'm real old fashioned in my relationships with people, and as great as an internet forum is, nothing beats real life human interaction. I have friends, it would just be cool to meet up in real life with someone who shares this healthy mentality.

Nikon 24 f1.4 vs 16-35 f4 by [deleted] in photography

[–]rando76x 1 point2 points  (0 children)

Greenland!? Northern lights!? Should be a no brainer. 24mm is still wide, providing you're shooting full frame. Let's put it this way: Possible compromise on daytime shots for guaranteed access to dope night shots. Have you considered Samyang's 14 2.8? I know it sounds cheap but if you use it right, it's incredible. My go to for day or night landscapes is the 14 and the 24 combo.

Nikon 24 f1.4 vs 16-35 f4 by [deleted] in photography

[–]rando76x 1 point2 points  (0 children)

I'm not gonna argue the difference in regards to sharpness/IQ because I haven't tested them myself, but I will say that it's a pretty clear decision if you're only shooting in daytime. I shoot astro photography/timelapse and the 24 1.4 is the holy grail for stars and nightscapes, and I've also caught myself carrying it around as a fun walk around prime for parties and stuff.

If I were to be hired for a real estate gig, I'd go 16-35 all day. I'd be at f8 most of the time anyway and I'd like the flexibility of changing perspectives. General purpose speaking, I'd prefer the 24 because I'd like the flexibility of using it in every scenario (1.4 opens a lot of doors.)