Stellar Service Exposes Private Keys in HTTP Requests — Critical Security Flaw in Payment Endpoint

A critical security vulnerability has been exposed in a Stellar-based payment service, where the system's core payment endpoint transmits users' private keys in plaintext within HTTP request bodies. This flaw, found in the `POST /intent` endpoint, directly accepts the `fromSecret` parameter—a Stellar private key—from incoming requests, creating multiple vectors for catastrophic key exposure.

The code, located in `apps/stellar-service/src/index.ts`, uses the submitted `fromSecret` to instantiate a Keypair without any prior validation of the key's format. This design means the private key flows through the entire request chain: it can be captured by any intermediary proxy, load balancer, or application logging middleware. Common development practices, such as logging request bodies for debugging, would permanently record these secrets in plaintext. Even with HTTPS encryption, the key is unnecessarily exposed at the application layer, contravening fundamental security principles for handling cryptographic secrets.

This vulnerability represents a severe breach of trust for any service handling financial transactions on the Stellar network. The exposure of a private key equates to a complete loss of control over the associated account and funds. The flaw signals profound institutional security failures, from code review to deployment standards, and places all users of the vulnerable endpoint at immediate risk of asset theft. It prompts urgent scrutiny of the service's overall architecture and logging practices.