Square Credentials
Service Name: Square
Service Description: Square provides financial services and digital payment tools for businesses to manage payments, point-of-sale operations, e-commerce, and business analytics.
Service Address: https://squareup.com/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the application level through Square Dashboard
Secret Access Scope: Grants access to Square's API for processing payments, managing customer data, inventory, and other business operations depending on the permissions assigned to the token.
Secret Revokement URL: https://developer.squareup.com/docs/build-basics/access-tokens#revoke-oauth-tokens
Secret Example: sq0atp-TcVaG_example_FhYpOZF8ZcqQ
Suspicious Activity Investigation Instructions:
- Review the Square Dashboard for unusual transaction activity
- Check the API call logs for unauthorized access or unusual patterns
- Monitor for unexpected refunds or payment processing activities
- Verify if there are any new applications connected to your Square account
- Review webhook subscription changes that might indicate data exfiltration
Mitigation Instructions:
- Immediately revoke the compromised access token through the Square Developer Dashboard
- Generate a new access token with appropriate permissions
- Update the token in all legitimate applications
- Review and adjust application permissions to follow the Principle of Least Privilege.
- Enable two-factor authentication for your Square account.
- Consider implementing webhook signatures to verify the authenticity of webhook notifications.
- Update your application to use the new token and verify it's working correctly