CSRF token validation system is disabled on Stripe Dashboard

This report describes a temporary CSRF vulnerability in the Stripe Dashboard caused by a code change deployed on 2/14/2022. During this period, an attacker could trick a logged-in user into visiting a malicious website and perform limited actions, such as changing email subscription settings. Sensitive actions like money transfers remained protected via password re-entry or reCAPTCHA, preventing full account compromise. The issue was fixed on 3/3/2022, and Stripe found no evidence of user impact during the 18-day window. This report was initially closed in triage but later validated and rewarded as the first report identifying the bug.

This summary was generated by AI