Hi everyone,
So basically I have been testing some payment workflows for some apps, and have come across a very strange and frustrating thing with the Stripe checkout.
I have set up a one page checkout page where the visitor choses their product, puts their email in an input box and then presses the “proceed to payment” button. This triggers the “charge current user” and redirects to the Stripe hosted checkout page.
So at this point, the page visitor is not logged in, nor created an account.
When testing I have discovered that, when checking out, if there is already a customer in Stripe with the same email that I put in the input box on my bubble page, it will autofill all their card details.
So if one person in the UK checks out under sam@example.com, then someone in the US could go onto the same page, put in sam@example.com into the input and the card details would be stored from the first person and they can complete the purchase and PAY from the first persons card info.
So it is a pretty big breach.
I have tried it on VPNs, other peoples devices that are no way connected to mine, and you can literally just pay with someone else’s card, simply if you know their email address.
Has anyone else had this issue, have any bright ideas or know of a place I can just turn the autofill feature off on stripe?
I have thought about using a custom input form that passes it all through as tokens so it never redirects to the Stripe hosted checkout page, but I really want my app to all be done on Stripe hosted checkouts so my customers think that it is safe (ironic, I know)!
I’m really hoping there is just a toggle that I can switch on Stripe, but I have looked high and low and can’t find anything.
Really appreciate any help!
Thanks,
Sam