Secret extractor for Square API Secrets #1656
Description
-
Secret name:
Square Personal Access Tokens & Square OAuth Application Secrets -
Risk in exposing the secret:
Exposure of Square API secrets allows attackers to fully impersonate a Square application or merchant account. An attacker could:- Access merchant and location information
- Read or modify payment, customer, order, and inventory data
- Initiate unauthorized transactions or refunds
- Perform reconnaissance on connected Square accounts
These secrets grant direct API access and are typically long-lived, making them high-impact if leaked.
-
Secret formats & detection logic:
-
Square Personal Access Tokens
-
Prefix:
EAAA -
Length: 64 characters total
-
Allowed characters: alphanumeric,
-,+,= -
Regex:
EAAA[\w\-\+\=]{60}
-
-
Square OAuth Application Secrets
-
Prefix:
sq0csp- -
Length: 50 characters total
-
Allowed characters: alphanumeric,
_,- -
Regex:
sq0csp-[A-Za-z0-9_-]{43}
-
-
-
Validation method, if any
-
Fetch merchant metadata:
```
GET https://connect.squareup.com/v2/merchants
Authorization: Bearer <access_token>
```
A successful response confirms the token belongs to a real Square merchant account.
-
Enricher plugin opportunity:
An enricher can:- Identify whether the token is production or sandbox
- Extract merchant ID, country, and business name (if available)
- Flag scope breadth (read-only vs write-enabled endpoints)
-
Token details:
- Application tokens are tied to specific Square applications
- Tokens may have broad permissions depending on the app configuration
- OAuth application secrets are especially sensitive, as they can be used to mint new access tokens
-
Resources:
-
Square API documentation:
-
Square Authentication & OAuth:
-
Locations API reference:
-
Merchants API reference:
-