TurboTenant Unauthorized Access Vulnerability in Stripe Integration

A vulnerability in the TurboTenant property listing activation workflow could allow unauthorized access to certain Stripe payment session data. This issue, present in versions through 2.0.0, has the potential to expose sensitive business metadata, including landlord dashboard sync details and tenant information. The vulnerability affects the API endpoints responsible for property listing activation, subscription metadata, and payment link generation.

Impact

Exploitation of this vulnerability could lead to unauthorized access to Stripe payment session data, allowing exposure and potential manipulation of sensitive business metadata, including landlord dashboard sync details and tenant information. Such access could also facilitate unauthorized changes to subscriptions or one-time payments.

Remediation

This vulnerability has been fixed in TurboTenant release v2.0.1. All affected landlords and Stripe accounts should update to this version immediately, rotate Stripe API keys, and re-authenticate any automated workflows. Additionally, verify that all Stripe keys are stored securely in a secret manager, restrict access to TurboTenant onboarding dashboards to trusted internal users, and manually review any newly generated payment links for suspicious activity until the patch is applied.