#davidev-error

Hello! Can you give me some more details on what the issue is?

Our representatives found a failure during payment on your website, in which it would be possible to receive the product without payment validation.

We will be glad to offer our services to solve them

Can you provide information on how to reproduce? What specific site are you talking about?

https://checkout.stripe.com/pay/

I'm sorry but you really need to be providing way more detail - we (Stripe) provide a Checkout Session API for collecting payment, but the logic to determine when to give access to a product is ultimately on the customer to implement. If you give me more details I can pinpoint whether this is an issue on our end or not, but right now there isn't enough information.

Basically the problem is when making the payment. Without a specific code to protect the payment process, any user could intercept the website's command. Thus making the payment without the necessary information, for example without the card number. We tested this, and found this flaw.

By the way, we are a Bug Bounty company.

Can you go into more details on what you mean by "any user could intercept the website's command"?

Through the HTML code, it is possible to create an id to change the information entered by the user at check out. Doing as soon as he completes the purchase, without executing the payment.

I'd recommend writing into support with more details on exactly how to reproduce this - you can email them at support@stripe.com

@marble storm stripe maintains a vulnerability disclosure program, described here: https://stripe.com/docs/security/stripe#disclosure-and-reward-program. however, I'm dubious that you've found a way to complete a payment intent without submitting a card number. please submit a proof of concept if so.