CloudSEK researchers found that 13,000 apps were uploaded on BeVigil security search engine.

Around 250 of these apps used the Razorpay API for processing financial transactions. Around 10 (5%) of these apps exposed the payment integration key ID and key secret. The API key is a combination of a key secret and a key ID. Both are needed to make an API request to the payment service provider. In this case, developers “accidentally” embedded the API keys in their source code which led to this issue, CloudSEK researchers noted in their blog post authored by Arshit Jain and Sai Ahladini Tripathy

Back to Main