A common thing I see happening with many popular applications is that a developer will disable an HTML element through the “class” attribute. It usually looks something like this:
<a href="#" name="disabled_button" class="button small grey disabled">
This works pretty well in some situations, but in other situations it can be manipulated to perform actions that really shouldn’t be done by an unauthenticated user. That’s exactly what happened in a bug I submitted to Stripe a few weeks ago.
When you are logged into your Stripe account, you will be timed out after a certain amount of inactivity. Once this you reach this timeout, you aren’t able to make any changes on the account or view other pages until you re-authenticate by entering your password. Herein lies the problem with using a “disabled” class tag – an attacker can simply manipulate the page through inspect element to allow them to delete the disable class tag and view other pages, allowing them to send requests.
In this video below, you’ll see how I’m locked out of a Stripe account because of inactivity, but by navigating to the “invite user” section of the timeout page through inspect element, I am able to invite myself as an administrator on the account that is timed out, without authenticating first.
This, of course, requires a person to first be logged in to their Stripe account and leave their computer out in the open… but using this method you can render the entire lockout process completely useless on a Stripe.com account. It’s interesting nonetheless that the folks at Stripe made sure that a malicious user couldn’t change the web hooks… but inviting an administrator to the account is completely allowed.
Stripe followed up and clarified by saying that simply dismissing the entire modal isn’t enough to bypass the authentication check, it is instead checked at the backend, but that check was accidentally removed in this situation which allowed me to invite another administrator.
Stripe security was very responsive in resolving this issue and it was fixed shortly after I reported it. I asked permission before publishing this article. Bounty: $500.
I have some more bounty writeups that are a bit more technical than this one coming soon, including a writeup on a CVE I discovered, so check back later for more updates. Additionally, you can follow me on Twitter to stay up to date with my bugs and what I’m doing, if you wish.