mppx Stripe Payment Credential Replay Vulnerability

A vulnerability in the mppx TypeScript interface for the machine payments protocol, prior to version 0.4.11, allowed for the replay of Stripe payment credentials. The issue arose because the stripe/charge payment method did not verify Stripe's Idempotent-Replayed response header when creating PaymentIntents. This oversight enabled an attacker to reuse a valid credential with the same spt token against a new challenge, leading the server to mistakenly accept the replayed PaymentIntent as a new successful payment, without charging the customer again. As a result, an attacker could exploit this to pay once and repeatedly consume resources by replaying the credential.

Impact

Exploitation of this vulnerability allowed for unauthorized replay of payment credentials, leading to potential resource exhaustion on the server.

Reproduction

The vulnerability can be reproduced by creating a PaymentIntent through the stripe/charge payment method in a version of mppx prior to 0.4.11. After the initial payment is processed, the same spt token can be replayed against a new challenge. The server will accept the replayed PaymentIntent as a new payment, without charging the customer again. This can be automated to consume unlimited resources by repeatedly replaying the credential.

Remediation

Users can upgrade to mppx version 0.4.11 or later, where this vulnerability has been patched by adding a check for the Idempotent-Replayed header to reject replayed PaymentIntents.