Stripe: CSRF token validation system is disabled on Stripe Dashboard

@d_sharad discovered that due to a code change deployed on 2/14/2022, Cross Site Request Forgery (CSRF) protection was disabled in the Stripe Dashboard. This could have allowed an attacker to trick a victim user to visit a malicious website and cause limited changes to the victim’s Stripe account (such as changing the victim’s email subscription settings) without being able to access data associated with the account. Sensitive actions like money movement remained protected by requiring password re-entry or solving a reCAPTCHA challenge. The issue was fixed on 3/3/2022. Stripe’s investigation found no evidence of user impact during the 18 day window that the code change was active.

This issue was incorrectly closed during the triage process. On 2/28/2022, we triaged a similar report from another reporter, which was validated and resolved. While determining a bounty, we reviewed all CSRF reports and found this report was incorrectly closed. As a result, we made the decision to reward both reporters since this was the first report identifying the bug.