Massive data breach issue for Stripe! Stripe Autofill Other Peoples Cards?

Hi everyone,

So basically I have been testing some payment workflows for some apps, and have come across a very strange and frustrating thing with the Stripe checkout.

I have set up a one page checkout page where the visitor choses their product, puts their email in an input box and then presses the “proceed to payment” button. This triggers the “charge current user” and redirects to the Stripe hosted checkout page.

So at this point, the page visitor is not logged in, nor created an account.

When testing I have discovered that, when checking out, if there is already a customer in Stripe with the same email that I put in the input box on my bubble page, it will autofill all their card details.

So if one person in the UK checks out under sam@example.com, then someone in the US could go onto the same page, put in sam@example.com into the input and the card details would be stored from the first person and they can complete the purchase and PAY from the first persons card info.

So it is a pretty big breach.

I have tried it on VPNs, other peoples devices that are no way connected to mine, and you can literally just pay with someone else’s card, simply if you know their email address.

Has anyone else had this issue, have any bright ideas or know of a place I can just turn the autofill feature off on stripe?

I have thought about using a custom input form that passes it all through as tokens so it never redirects to the Stripe hosted checkout page, but I really want my app to all be done on Stripe hosted checkouts so my customers think that it is safe (ironic, I know)!

I’m really hoping there is just a toggle that I can switch on Stripe, but I have looked high and low and can’t find anything.

Really appreciate any help!

Thanks,
Sam

It is not a stripe issue, it is an issue that you need to fix within your app. You need to change the way you are sending Stripe the customer object as well as customer email address and how you are capturing them before/after purchase.

How are you connecting to Stripe, with a plugin or directly through API calls that you set up?

I’m currently using the Bubble plugin, it is exactly what I need, besides this.

I could setup the API calls and ensure that there is a parameter that sets setup_future_usuage to “on_session” instead of off session, which I think will fix the issue, however the fact you need to setup price IDs on stripe and cannot get the amounts dynamically mean that it isn’t that suitable. Unless you know a way around this?

Thanks for your message

a way around what? The issue of not getting the price dynamically? If you are using the Stripe plugin by Bubble, the price the user is charged is based on the price set in Stripe for the price ID you use within the plugin for a checkout session creation…so if your issue is that you can not display the price dynamically to the user based on the price ID, that is because I do not believe the stripe plugin by Bubble has the built in api calls to get a Price Object so as to use the amount associated with that price in stripe.