Fast Feed

Hidden Tokens, Open Wallets: How I Found Payment API Keys in Production JavaScript

1 min read

Summary

  • A bug bounty hunter known as Iski discovered payment API keys in a JavaScript file on a subdomain of the target organisation.
  • These keys were being served up in the payment provider’s staging environment and were accessible via a standard web browser.
  • The discovery was made during a routine domain search, and further investigations were conducted using tools such as SubFinder, httpx, and gau.
  • The hunter, who was late with their rent at the time, moved to the next stage of testing and discovered a serious lack of security and a failure to adhere to best practices in the organisation’s payment processing systems.
  • This story ends with a successful bounty and a happy landlord.

By Iski

Original Article