2

How secure is it to pass in to a Stripe website (external, not our own site) some data to prefill a form through the query string? It's an external site so we can't just pass it in encrypted like we would with our own sites data.

I would assume it wouldn't be too bad considering its only usage is to prefill the form and the only way other people can get said data is to log in to a certain company which we have security for anyway. (permissions)

Example data(with the URL used): https://connect.stripe.com/oauth/authorize?response_type=code&client_id=blahblahblahxxxxxxx&stripe_user[email]=my.email@yahoo.com&stripe_user[first_name]="billy"

I'll add more info if needed...

[edit] The data is not restricted to just the ones i provided they just seemed fitting at the time. We got these options for the business:

[email] [url] [country] [phone_number] [business_name] [business_type] [first_name] [last_name] [dob_day] [dob_month] [dob_year] [street_address] [city] [state] [zip] [physical_product] [shipping_days] [product_category] [product_description] [average_payment] [past_year_volume] [currency]

The information I've already got from you guys is pretty clear by itself though. The things I see as sensitive on this are the addresses (city, state, ZIP etc) but that's all...

L_Church
  • 123
  • 6
  • 2
    is the data you are passing limited the the data shown in your example, ie email and username. You aren't passing payment information like amount or any card data (as I presume you are talking Stripe the payment processor) – iainpb Feb 22 '18 at 16:47

2 Answers2

2

The question is what you consider "bad" in this case. Since I can only guess what is considered bad in your use case:

  • Stripe will have access to the data in the GET request without further intervention from the user if you load it the way your example works: this might be a privacy regulation issue depending on the details.
  • Anyone that sees the URL sees the data. That means the users' browser, but also anyone that visits the site that contains the URL.

However, as far as I'm aware, Stripe already offers its' users a pre-fill feature through an SMS/text message to the user when Stripe detects that it knows their browser -- I'd recommend using that unless you have a very specific reason to pre-fill this data.

  • I gave stripe an email and they claim to have encryption services covering their side... The reason for this is simply for (much) better UX. It's a bit of a hefty form for the impatient and i'm sure it will be appreciated over tme – L_Church Feb 23 '18 at 10:40
1

I assume by "passing data" you meant "redirecting the end user's browser to the following Stripe.com URL"?

How secure you ask?

If you are concerned about eavesdropping on the communication, the fact that you are redirecting to HTTPS means the query string will travel encrypted between the user's browser and the Stripe servers.

The query string will most probably end up in the browser's history (who else consistently runs their browser in incognito mode?). That's probably more of a user's concern, but maybe an unexpected behaviour from your end.

Now, if the user has a compromised browser, the query string may be captured by malicious code (e.g. malicious extension). I don't think the query string's confidentiality is the end user's main concern at this point.

You shouldn't transmit any obviously confidential data like passwords or credit card numbers, but you don't propose to do that, so.

All data transmission should also conform to your privacy policy, just in case...

korrigan
  • 400
  • 2
  • 12
  • So would you recommend having a small warning saying the user is responsible for securing their data on their end? Like "You are responsible for your data. Please make sure you protect it" (bad wording but you get the idea) and a reminder that stripe also has their end covered? – L_Church Feb 23 '18 at 10:36
  • Informing your user base of a significant change in behaviour seems like a good move, especially if we are talking about PII. How they would percieve it depends on what user base we are talking about, and what was in your privacy policy in the first place. It's up to you to determine how to approach it and what is acceptable in this situation. – korrigan Feb 23 '18 at 12:58