[Stripe] CSRF token validation system is disabled ($2500 USD)
Original Post:
We discussed this vulnerability during Episode 133 on 04 April 2022
The title says it all, CSRF protection was disabled for a period of time on Stripe’s Dashboard. As the most sensitive actions required reentering the user’s password or solving a captcha the damage was limited but you could still change various account settings. Its a bit of a crazy vulnerability to have introduced, just straight up disabling CSRF checking.