I’m seeing very similar customers, all from brazil, being added to Stripe constantly. I’m not clear if it’s malicious. They don’t have any charges.
And this goes on. May 13 alone 100s were created.
One customer was successfully created and charged on May 13 from brazil, but the charge was block as being from a high risk country. Thank you Stripe.
There’s a lot of customers without charges. I don’t think the current donate code allows for that, they are created when they first donate so a charge would be created simultaneously.
What I see as the pattern is the customer is created, then another request tries to find the payment source aka the card token, but fails. It wasn’t created since they never completed a charge.
in April, it’s alot of European domains, some Russian.
@SuperQ is there any logging on donate so I can see the requests? Getting a dump of the database would also be good. I don’t think it’s an issue with our servers pe ser, but there might be some permission issue with our API and worth speaking to stripe.
The activity appears starts in March '19.
Eh, spoke too soon.
There’s a lot of activity from the front end.
inspecting these requests, they are coming from brazil.
They’ve grabbed the public key and are spamming to find valid tokens. It’s easy to grab, it’s on the front page source.
I feel like this should be tied to our domain/ip somehow, but this is a but past me. I know we can roll the key but that doesn’t solve the fundamental problem. I am in favor of rolling it, however.
I sent them an email and it will be sent to the account.
update, raised and issue on Infra to pull db and/or webserver logs to check if activity is generated on our side.
it’s feasible with the public key to generate the requests with, for example, curl, so anyone could do it. server side private key is necessary for charges so I don’t think there is any financial risk.
ah, ok there we go. I was going to complain they didn’t involve the primary account, glad they did. Thank you.
The current donate is in ruby which I can read but i have no programming experience.
I’m sure the documentation for adding reCAPTCHA (what is hidden reCAPTCHA?) is simple. this sucks though, CAPTCHA is annoying.
I’ve heard you can outsource them to porn sites since they have so many ppl logging on. Cannot confirm.
I think we should at least roll the key. It will stop an automated attack until they get the new one. I’ll have to find out where the key is in the donate code before we do that to replace it with the new key.
We should probably give stripe a 10-4 Rodger, “We’re on it” response
Sorry, I no longer have the time to help. Perhaps down the road.
Okay, would you mind passing this on to someone that would be able to implement reCAPTCHA? It appears we have a short timeline before our Stripe account gets temporarily disabled.
Highlighting @themanmaran as a heads-up.
Sorry, I dont know how to do it, that’s what I was saying above. I dont know ruby and I have only conjectured implementing should be easy.
I probably know Ruby less than anyone here, but happy to help on this. Can you forward me the email from the Stripe account and I would be happy to chat with them and let them know we are on it.
Stripe must have some plug and play captcha service. I imagine this would be a problem with plenty of stripe users who are not quite as tech-savvy as NB. Once I get the contact info, I can call and chat with the Stripe guy.
Alternatively here’s a ruby captcha package: https://github.com/ambethia/recaptcha
The only relevant email is the one Nicole posted above. I only have emails that say “forwarding you to someone who can help”. will fwd to you regardless, but basically once they found the issue the (correctly) emailed the primary account.
I’ve responded to Stripe to let them know we’re aware and intend to add reCAPTCHA. They also suggested temporarily rate limiting the number of charges that can be made to our account.
I’ve created a PR that resolves this issue here:
@jay Awesome. CI is failing, can you take a look? somehow it’s the scss. We could probably ignore it but want your opinion.
Thank you for that PR to resolve our reCAPTCHA issue, @jay. Looks like we’re in the clear on Stripe’s end, but it is concerning that CI is failing.
@ruthgrace @_ar would either of you mind taking a look at CI?
Looking at the “details” link next to the failed build, I found the error
You are trying to install in deployment mode after changing your Gemfile. Run bundle install elsewhere and add the updated Gemfile.lock to version control., so someone who has ruby needs to run
bundle install in this branch and commit the new
Gemfile.lock and that should fix at least this error.