{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/quota-fraud/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Stripe Webhook"],"_cs_severities":["critical"],"_cs_tags":["stripe","webhook","signature-bypass","quota-fraud"],"_cs_type":"advisory","_cs_vendors":["Stripe"],"content_html":"\u003cp\u003eA critical vulnerability exists in the Stripe webhook handler that allows an unauthenticated attacker to forge webhook events and credit arbitrary quota to their account without making any payment. Disclosed on 2025-04-15 and patched the same day in v0.12.10, the vulnerability stems from three compounding flaws: the Stripe webhook endpoint does not reject requests when \u003ccode\u003eStripeWebhookSecret\u003c/code\u003e is empty (the default), any attacker can compute valid webhook signatures when the HMAC secret is empty, and the \u003ccode\u003eRecharge\u003c/code\u003e function does not validate that the order\u0026rsquo;s \u003ccode\u003ePaymentMethod\u003c/code\u003e matches the callback source. This enables cross-gateway exploitation where orders created via any payment method can be fulfilled through a forged Stripe webhook. This vulnerability allows for financial fraud through unlimited API quota acquisition without payment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker registers a user account on the target platform.\u003c/li\u003e\n\u003cli\u003eAttacker calls \u003ccode\u003ePOST /api/user/pay\u003c/code\u003e to create an Epay top-up order, setting the \u003ccode\u003eamount\u003c/code\u003e. The order is stored with a \u003ccode\u003epending\u003c/code\u003e status.\u003c/li\u003e\n\u003cli\u003eAttacker queries \u003ccode\u003eGET /api/user/topup/self\u003c/code\u003e to retrieve the \u003ccode\u003etrade_no\u003c/code\u003e of the pending order.\u003c/li\u003e\n\u003cli\u003eAttacker computes an \u003ccode\u003eHMAC-SHA256\u003c/code\u003e signature with an empty key over a crafted \u003ccode\u003echeckout.session.completed\u003c/code\u003e payload. This payload contains the stolen \u003ccode\u003etrade_no\u003c/code\u003e as the \u003ccode\u003eclient_reference_id\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker sends a \u003ccode\u003ePOST\u003c/code\u003e request to \u003ccode\u003e/api/stripe/webhook\u003c/code\u003e with the forged payload and a crafted \u003ccode\u003eStripe-Signature\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eThe server verifies the signature, which passes because the \u003ccode\u003eStripeWebhookSecret\u003c/code\u003e is empty.\u003c/li\u003e\n\u003cli\u003eThe server calls the \u003ccode\u003eRecharge()\u003c/code\u003e function, which finds the Epay order by \u003ccode\u003etrade_no\u003c/code\u003e, marks the order as \u003ccode\u003esuccess\u003c/code\u003e, and credits the attacker\u0026rsquo;s account with the full quota.\u003c/li\u003e\n\u003cli\u003eThe attacker repeats steps 2-6 indefinitely to accumulate unlimited credits, leading to financial fraud.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows attackers to obtain unlimited API quota without payment, leading to financial fraud. The operator of the vulnerable system faces financial losses due to fraudulent quota consumption against upstream AI providers such as OpenAI, Anthropic, and Google. The fraudulent top-ups can appear as normal transactions in system logs, making detection challenging. Due to the default insecure configuration, virtually all deployments with any payment method enabled are vulnerable, creating a wide exposure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eSet \u003ccode\u003eStripeWebhookSecret\u003c/code\u003e to a non-empty value to prevent empty-key HMAC forgery, mitigating the primary attack vector (Flaw 1).\u003c/li\u003e\n\u003cli\u003eApply a reverse proxy (Nginx, Caddy, etc.) to deny access to \u003ccode\u003e/api/stripe/webhook\u003c/code\u003e if Stripe is not configured, as a temporary workaround.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Forged Stripe Webhook Request\u003c/code\u003e to identify potential exploitation attempts by monitoring requests to the webhook endpoint with empty secrets or invalid signatures.\u003c/li\u003e\n\u003cli\u003eUpgrade to v0.12.10 immediately, as it addresses all three flaws completely.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-24T15:43:25Z","date_published":"2026-04-24T15:43:25Z","id":"/briefs/2026-04-stripe-webhook-bypass/","summary":"A vulnerability in the Stripe webhook handler allows an unauthenticated attacker to forge webhook events and credit arbitrary quota to their account without payment, stemming from an empty StripeWebhookSecret and lack of PaymentMethod validation, enabling cross-gateway exploitation.","title":"Stripe Webhook Signature Bypass via Empty Secret Enables Unlimited Quota Fraud","url":"https://feed.craftedsignal.io/briefs/2026-04-stripe-webhook-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Quota-Fraud","version":"https://jsonfeed.org/version/1.1"}