Stripe webhook signature validation bypass in 1.5K+ web apps

Researchers at SecurityScanner.dev found that 1,542 out of ~6,000 tested web apps accepted forged Stripe webhook events without the Stripe-Signature header. The issue affected endpoints that trusted the event structure instead of verifying the signature with the webhook signing secret.

No authentication or special privileges are required: any internet client can send a fake checkout.session.completed JSON payload that mimics a legitimate Stripe event. If the backend trusts that payload, it may trigger business-logic actions such as marking an order as paid, activating a subscription, or granting access to paid features.

📎 Article: https://securityscanner.dev/blog/stripe-webhook-signature-bypass-1500-apps

💬 Discuss