New API Stripe Webhook Signature Bypass Vulnerability Allows Quota Fraud

A vulnerability in the Stripe webhook handler of New API versions prior to 0.12.10 allows unauthenticated attackers to forge webhook events and receive arbitrary quota credits without making any payments. This issue arises because the webhook endpoint does not reject requests with an empty secret, enabling attackers to create valid signatures that bypass verification. Additionally, the system fails to validate payment methods, allowing cross-gateway exploitation.

Impact

Exploitation of this vulnerability leads to financial fraud by allowing attackers to obtain unlimited API quota without payment, causing financial losses for operators who are charged for the consumed quota. The vulnerability can be exploited silently, as fraudulent transactions appear normal in system logs.

Reproduction

To reproduce this vulnerability, first ensure that the Stripe webhook secret is set to empty, which is the default. Then, create an account and initiate a top-up order using a payment method other than Stripe, such as Epay. Once the order is pending, retrieve the trade number and craft a webhook event payload that includes the trade number as a reference. Compute a valid webhook signature using HMAC-SHA256 with an empty key, and send the forged payload and signature to the Stripe webhook endpoint. The server will accept the request, credit the quota, and mark the order as successful.

Remediation

Users should upgrade to New API version 0.12.10, which addresses the vulnerability by rejecting empty webhook secrets, verifying payment statuses, and validating payment methods. For those unable to upgrade immediately, set the Stripe webhook secret to a non-empty value or block the webhook endpoint if Stripe is not in use.