Stripe Sandbox API Anomaly: Authenticated Users Blocked from Accessing Their Own Customer Records

A critical access control anomaly has been identified in Stripe's sandbox environment, where authenticated users are being blocked from retrieving their own customer data. During a penetration test, a call to the `GET /v1/customers/{id}` endpoint with a valid customer ID belonging to the authenticated account returned a **404 Not Found** error. This is the inverse of a typical Broken Object Level Authorization (BOLA) or Insecure Direct Object Reference (IDOR) flaw; instead of accessing another user's data, the system is preventing a user from accessing their own. The failure indicates a potential breakdown in the ownership linkage between API keys and the customer objects they are supposed to control, raising immediate security and functionality concerns.

The test, conducted on April 21, 2026, specifically targeted the `com.example.pentest.stripe.accesscontrol.BolaIdorPaymentTest` class. While sandbox environments may not always contain pre-existing customer records, the consistent 404 response for a valid, owned ID signals a deeper scoping issue. The expected behavior—an HTTP 200 response with the customer record—was not met. This flaw disrupts a fundamental expectation of API design: that users can reliably access resources they own.

This finding warrants urgent internal investigation by Stripe's security and platform engineering teams. While currently observed in a test environment, the underlying access control logic could reflect a misconfiguration or bug in the identity-ownership mapping that might exist in other contexts. Failure to resolve this could impact developer trust, hinder integration testing, and potentially mask more severe authorization vulnerabilities in related systems. The anomaly places scrutiny on Stripe's internal resource scoping and validation mechanisms.