The stripe daemon command from the stripe-cli exposes a local gRPC server that does not require authentication and allows any local application to execute remote procedures. One of the procedures is Listen, which is an equivalent to stripe listen command and receives all webhooks for the user’s account. To exploit this issue, the attacker must have another application installed on the victim’s computer. Once the attacker executes the remote procedure, webhooks from the victims account are sent to the attacker. In response to this report, we removed some information delivered via the webhook. We have otherwise accepted the risk due to physical access, man-in-the-middle, or previous compromise as a prerequisite to this attack.
Interestingly, this bug was never fixed. The developer tried to mitigate the `Listen` procedure by *removing some information delivered via the webhook* but he made a typo and this bug still works exactly as it had worked originally. I mentioned the fact in comments and, after 90 days, I submitted another report which was marked as a duplicate.
The attack scenario makes this attack extremely unlikely to affect any Stripe users. I wouldn’t have a problem with it being Informational’ed at the beginning but paying out to then not fix the bug made it quite confusing. In the end, I’m happy to walk away with a bounty.Read More
References
Back to Main