I make and sell BusKill laptop kill cords. Monero is accepted.
I consider “support” for this as having it documented. It’s not a boolean “on” / “off”. To “support Restricted API Keys” would mean that they document the minimum set of permissions required (which is a long list of properties, each set to “none” or “read” or “write”).
Indeed, I’m very happy to see they’ve changed it from ‘low-priority’ to ‘high-priority’. Hopefully they’ll update the documentation with the permissions needed for Restricted API Keys soon.
The problem is that creating a “Restricted API Key” means you have to tick “read” or “write” for dozens of different API “resource types”.
So if WooCommerce doesn’t document which resource types are needed, then “Restricted API Keys” are basically not supported because even security-conscious users cannot know how to produce a key that is fully functional yet satisfies the PoLP.
I’m curious if any security engineers have covered this incident.
Stripe does support generating Restricted API Keys. With “Restricted API Keys” you’re able to mint a key that can live on your e-commerce website that has permission to accept payments but does not have permission to modify your merchant account’s payout methods (eg adding a new “Instant Payments” debit card to the merchant account as this attacker did).
Unfortunately, I’ve asked WooCommerce to support Restricted API Keys 1 year ago, but they marked it as “low priority”
…I would appreciate if more people would jump-in on ^ that ticket and scold WooCommerce so that they add support for Restricted API Keys ;)
Theft of high-risk users’ data. Data could include private keys (eg theft of cryptocurrency assets), contacts of correspondence (eg sources of a journalist – such as whistleblowers), etc.
For more information, see the Who Uses BusKill? section of the documentation.