#jesper_code
lofty lakeBOT
đ Welcome to your new thread!
â˛ď¸ We'll be here soon! Typically we respond in a few minutes, but sometimes we might take a bit longer if the server is busy or if you have a particularly tricky question.
âąď¸ We close idle threads, which makes them read-only. Once a thread is closed it won't be reopened, but you can always start a new thread if you have another question.
đ This thread will always be available, even after it's closed. You can find it again using Discord's search, or you can save this link: https://discord.com/channels/841573134531821608/1339977121887424576
đ Have more to share? Add more details, code, screenshots, videos, etc. below.
Below are links to other discussions we've had with you in the past week in case you want to review that information. If your question is related to one of these previous discussions, please provide a comprehensive summary of the current state and what you need help with now. We help many users simultaneously, so a summary allows us to resolve your issue as soon as possible.
- jesper_code, 22 hours ago, 5 messages
tulip glacier
Hi, I do not know fully understand your concern. If your customer is logged in and you're passing that customer id on the Checkout Session, that means that you've got a trusted user right?
mossy sail
yes, but an attacker could create a 'guest' account, and instead of visiting the redirect url themselves, they could use phishing techniques to send this url to a victim
The victim would then see billing.stripe.com or our own domain, and think they are giving their details to us
But actually once the checkout is completed, this person would lose access to the customer portal and the attacker now gains a subscription + details of this user
tulip glacier
We use Advanced Fraud detection: https://docs.stripe.com/disputes/prevention/advanced-fraud-detection but that Checkout was created from your code and I'm curious what details of the user they would get. You could use metadata to track those and vet those customers are truly your customers sure.
mossy sail
We show a customer portal link, so the attacker would essentially just get the details that the victim entered during checkout (except for credit card details, for which only the last 4 digits are shown)
So in this case the address is visible and the name of the user is visible on invoices as well it seems
tulip glacier
I see. You'd want to vet the customer in your system before you create the Checkout Session.
mossy sail
I'm not sure I understand correctly. Vet as in - manually check that they're a legitimate user?
I can't really do that manually for each user. Or are you referring to just making sure each user gets their own stripe account assigned?
Because if so, I'm already doing that. The problem lies with that an attacker could make a victim visit this url regardless of whether they are logged in on our site or not
tulip glacier
What I'm having a hard time understanding is how they would send the URL to your legimate customers? If you pass the customer email address on the CheckoutSession, would not they know that it's not their Checkout?