EXCLUSIVE | 10 mobile apps using Razorpay payment gateway expose transaction keys

API, or Application Programming Interface, is a software intermediary that allows two applications to talk to each other. It is the messenger that delivers your request to the service provider you're requesting it from and then delivers the response back to you.

What are the potential dangers?

If the API ID and secret key are leaked, they can be exploited to not only gain personal information of users, like phone numbers and email addresses, but also to initiate unauthorised refunds.

“An adversary can make bulk purchases and then initiate refunds. Such refunds can also lead to significant losses for the company,” the report accessed by Moneycontrol stated.

In fact, during the investigation, CloudSEK was able to access the transaction information for Rs 1,82,813, along with the payment IDs. Using just these two details, an adversary could carry out an refund, the report titled ‘Exposed Payment Integration API Keys Imperil Millions of User’s Transaction Details and PII’ said.

Merchant's API key is a combination of a key ID and a secret key that are required to make any API request to Razorpay.

While this only makes up 5 percent of the total apps investigated by CloudSEK, these applications have a cumulative download count of 2.5 million. Given that a purported 8 million businesses use Razorpay to facilitate payments, the actual number of apps exposing their API keys could be much higher.

The report also warned that besides the risk of orchestrating scams, and even identity thefts using this personal data, a threat actor can either dump or sell the financial information, transaction details, and other personal information of users on cybercriminal forums or dark web marketplaces.

Razorpay Responds

Razorpay said its API keys are secure. If not, many merchants would have been affected, it said.

“Razorpay clearly mentions in contracts signed with merchants that such keys should not be exposed on any public platform,” Hepsibah Rosario, Head of Corporate Communication and Branding at Razorpay, told Moneycontrol.

She added that some of the merchants that had their platform keys exposed on public platforms were notified by the company to deactivate it. “We disabled it from our end when we received no response from the merchants or if the data was still public. Customer safety and merchant data is of utmost importance,” she added.

Talking about the methodology of the report, CloudSEK stated that whenever a BeVigil user submits an android application for scanning, the company uses scanners and algorithm and gives a rating to the app, based on security incidents found. BeVigil is a free mobile application security testing tool.

“There are certain algorithms we use to find the secrets from android applications,” it said in an email response.

Is there a solution?

For Razorpay and other payment providers, mobile apps “are just one integration. They have integrations with web applications and wallets, and they can even be used on-premise in offices, shops, and other locations. Hence, exposed API keys don’t endanger the app but the entire merchant organisation’s payment data,” the report noted.

As a remedial action, the report suggests steps to invalidate the leaked keys and regenerate a new key secret pair. However, doing so could take multiple days to execute, depending on factors such as the number of downloads, the flexibility of distribution etc. It would be a challenge if the app is used in older versions of Android, since getting all users to update to the new version may prove difficult.

It further suggested app developers to release a new version of the app with the key removed. “In order to avoid these issues, app developers are encouraged to be cognizant of the long-term effects of exposed API keys and set up review processes to avoid exposing the keys in the first place,” the report concluded.