1,542 Web Apps Fail Stripe Webhook Signature Checks, Exposing Payment Flows to Forgery

A scanning project targeting 6,000 web applications has uncovered a widespread security failure: 1,542 servers processed forged Stripe webhook events without verifying the signature header. Researchers sent minimal fake `checkout.session.completed` events to common webhook endpoints without any `Stripe-Signature` header. A quarter of targets returned HTTP 200, indicating acceptance and processing of unauthenticated payment notifications.

The vulnerable population spans production SaaS applications on custom domains alongside deployments on modern hosting platforms. Roughly 720 affected apps run on custom production domains, with additional concentrations on Render (198), Vercel (142), Replit (121), and a long tail across Railway, Fly, Heroku, and others. The issue is not a Stripe flaw but a developer implementation gap. Stripe's official libraries provide signature verification as a single function call, and framework documentation includes canonical examples. Yet the development workflow often leaves verification as an afterthought or skips it entirely during integration.

The practical risk depends on what each webhook handler does with incoming events. At minimum, forged events may pollute logs or trigger unintended side effects. In more dangerous configurations, attackers could mark accounts as paid, confirm orders without payment, or unlock gated functionality. The attack surface requires only knowledge of the webhook path and the ability to send a crafted HTTP request. With webhook URLs often predictable and no cryptographic validation in place, the barrier to exploitation is low. The finding signals a systemic blind spot in payment integration practices across the SaaS and startup ecosystem, where speed of deployment may be outpacing security fundamentals.