Back to all reports
High Severity
CVSS 8.8

Critical Vulnerability Report: SEPA Direct Debit Payment System Validation Issue on Stripe Payment Gateway

December 18, 2024

Description

A significant vulnerability has been identified in Stripe's SEPA Direct Debit payment system implementation, affecting multiple client companies including nele.ai. This vulnerability allows for premium subscription activation without proper IBAN validation, potentially violating EU financial regulations around payment verification and posing risks of unauthorized IBAN usage.

CVSS Score: 8.8 (High)

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Impact: High

    • Steps to Reproduce:

  • Create a new account or use an existing free account on a Stripe-based service offering SEPA Direct Debit (e.g., nele.ai)
  • Navigate to the upgrade subscription page
  • Select SEPA Direct Debit as the payment method
  • Enter any valid IBAN format number
  • Complete the subscription process
  • Observe immediate activation of the premium subscription

    • Technical Details

    The current implementation allows:

  • Premium subscription activation using any IBAN without proper verification
  • Immediate access to premium features
  • No validation between entered IBAN and account holder details

    • Impact

    Regulatory Implications

    The EU's new Instant Payments Regulation mandates:

  • Verification between IBAN and account holder name for all SEPA transactions
  • Implementation deadline of October 2025 for payment service providers
  • Mandatory payee verification for all Euro transactions

    • Business Impact

  • Significant revenue leakage for both Stripe and its client companies due to failed SEPA mandates for invalid IBANs
  • Processing fees for failed Direct Debit returns
  • Potential regulatory scrutiny under new EU payment regulations
  • Risk of unauthorized IBAN usage in payment systems
  • Customer complaints about unauthorized charges

    • Scope of the Issue

    This vulnerability is present in most Stripe-based payment services that offer SEPA Direct Debit as a payment method. nele.ai is just one example of affected companies. The issue could lead to substantial financial losses across Stripe's client base.

    Industry Comparison

    Companies like hide.me and squarespace.com, which use their own payment gateways, have successfully implemented proper IBAN validation, demonstrating that this issue can be effectively addressed.

    Recommended Fixes

  • Implement IBAN verification:

    • - Account holder name validation

    - Integration with verification services

    - Real-time IBAN validation before subscription activation

  • Follow payment processing best practices:

    • - Verify payment before service provisioning

    - Implement proper transaction monitoring

    Additional Information

    I have attached the following to this report:

  • An invoice received from GAL Digital GmbH related to this transaction
  • A video recording demonstrating the vulnerability

    • Please note that I have also reported this vulnerability to nele.ai (support@nele.ai) to ensure all relevant parties are informed.

    Disclosure Timeline

  • Public disclosure date: 18/12/2024 (5 weeks from now)
  • This timeline may be extended if the fix is not implemented within this period

    • Conclusion

    This widespread vulnerability in Stripe's SEPA Direct Debit implementation potentially exposes both regulatory compliance risks and significant revenue leakage through failed SEPA mandates for Stripe and its client companies. Swift implementation of proper verification measures across Stripe's platform would help mitigate these risks and bring Stripe's services in line with industry best practices.