@rodolfomarianocy discovered that due to a code change deployed on 2/14/2022, Cross Site Request Forgery (CSRF) protection was disabled in the Stripe Dashboard. This could have allowed an attacker to trick a victim user to visit a malicious website and cause limited changes to the victimโs Stripe account without being able to access data associated with the account. Sensitive actions like money movement remained protected by requiring password re-entry or solving a reCAPTCHA challenge. The issue was fixed on 3/3/2022. Stripeโs investigation found no evidence of user impact during the 18 day window that the code change was active.
This issue is the same as #1483327 which was reported earlier but was incorrectly closed during the triage process. On 2/28/2022, we triaged this report, which was validated and resolved. As a result, we made the decision to reward both reporters since this was the first report that was reproduced and triaged.