Webhook Payment Verification Vulnerability
A responsible disclosure case study with Al-Qassa Electronic Payment.
Identified a critical weakness in how payment status was verified across the webhook / payment-callback flow of a fintech payment gateway. Reported privately, patched by the vendor, and acknowledged with an official reward.
Presented here as a professional case study. No exploit steps, payloads, endpoints, or sensitive technical details are included — only the shape of the issue, its impact, and the disclosure outcome.
Overview
A payment verification weakness existed in the gateway's webhook / callback handling. Because incoming payment status notifications were not strictly validated end-to-end, an attacker positioned to influence the callback could cause a transaction's state to be trusted as successful when it was not. The business impact reached the core promise of any payment system: that a 'paid' state on the merchant side actually corresponds to a real, settled payment.
Impact
Without robust webhook verification, payment status could be manipulated and unauthorized transactions could appear as 'paid'. For a payment gateway this is a high-severity issue — it touches financial integrity, merchant trust, and downstream order fulfilment. The flaw was reproducible in a controlled, ethical setting and reported before any abuse.
Responsible Disclosure
The issue was reported privately to Al-Qassa Electronic Payment through their disclosure channel. The vendor acknowledged the report, deployed a fix to harden webhook verification on the payment flow, and issued an official reward and recognition for the research. No technical details, payloads, or sensitive artefacts are published.
Skills Demonstrated
Webhook security · payment flow analysis · API testing · backend security review · fintech risk assessment · coordinated responsible disclosure and vendor communication.
The highlighted steps mark where webhook verification must be enforced end-to-end. The reported issue lived in this segment of the flow and has since been patched.