Major Security Flaw Found in 1,542 Web Apps Using Stripe Webhooks Without Signature Verification

A security research scan of 6,000 web applications revealed that 1,542 applications fail to properly verify Stripe webhook signatures, leaving them vulnerable to fake payment events. The scan sent fraudulent checkout.session.completed events without the required Stripe-Signature header to common webhook endpoints. The vulnerable applications that returned 200 responses, indicating acceptance of unsigned events, included approximately 720 custom domains and applications hosted on popular platforms including Render (198 instances), Vercel (142 instances), and Replit (121 instances). While researchers note that some endpoints may only log events without granting unauthorized access, the widespread misconfiguration represents a significant security risk. Complete methodology details are available in the linked technical writeup.