Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneRodolfomarianocyH1:1493437
HistoryFeb 27, 2022 - 8:36 p.m.

Stripe: CSRF token validation system is disabled on Stripe Dashboard

2022-02-2720:36:34
rodolfomarianocy
hackerone.com
$2500
22
JSON

@rodolfomarianocy discovered that due to a code change deployed on 2/14/2022, Cross Site Request Forgery (CSRF) protection was disabled in the Stripe Dashboard. This could have allowed an attacker to trick a victim user to visit a malicious website and cause limited changes to the victimโ€™s Stripe account without being able to access data associated with the account. Sensitive actions like money movement remained protected by requiring password re-entry or solving a reCAPTCHA challenge. The issue was fixed on 3/3/2022. Stripeโ€™s investigation found no evidence of user impact during the 18 day window that the code change was active.

This issue is the same as #1483327 which was reported earlier but was incorrectly closed during the triage process. On 2/28/2022, we triaged this report, which was validated and resolved. As a result, we made the decision to reward both reporters since this was the first report that was reproduced and triaged.

JSON