Root cause analysis: Stripe Atlas founder data potentially accessible

Alex Kehayias on January 6, 2020

Stripe was notified on December 11, 2019, by Legalinc that first names, last names, and Social Security Numbers (SSNs) of some Stripe Atlas customers were potentially accessible via guessable URLs. We understand that Legalinc was itself notified on December 4th that the URLs could be guessed by a process of enumerating on a known valid URL.

We have no evidence that any information was improperly accessed or misused, but out of an abundance of caution, we have notified the approximately 2,670 individuals whose potentially accessible information included an SSN.

We have described the technical root cause of this issue below, for the benefit of technical and security professionals.

Stripe and Legalinc’s relationship

Legalinc is a software company which automates processes required to operate a portion of the Stripe Atlas service, including filing certain forms generated by Stripe with the U.S. State of Delaware and with the U.S. Internal Revenue Service (IRS). These filings are analog in nature and frequently require manual followup via phone or fax. Legalinc specializes in operationalizing these processes.

Stripe’s engineers reviewed the technical integration with Legalinc for soundness prior to using them as a conduit for customer information to the State of Delaware and to the IRS. The guessable URLs were a regression from the implementation that we reviewed.

Documents stored by Legalinc

As a routine part of the Stripe Atlas service, Stripe provides to founders a “final packet” containing copies of correspondence from the State of Delaware and the IRS that are received as a result of the filings which Stripe and Legalinc conduct on the founders’ behalves.

Most information in these packets (such as a Certificate of Incorporation) is non-sensitive and contained in public records, which are made available by the US State of Delaware to the general public for all corporations incorporated in Delaware. For example, Stripe’s own information is available in file number 4675506 through the Delaware Secretary of State.

One document included in the final packet is Form SS-4, an application for an Employer Identification Number (EIN). US companies use EINs to establish bank accounts and file taxes, among other purposes. Stripe Atlas files for EINs with the IRS for most companies we assist users in forming. The IRS’ first official notification of a newly issued EIN is to return Form SS-4 with the EIN handwritten in the top right corner. We thus include this form in the final packet for our users’ records, as they may be asked to show it as proof of issuance of the EIN.

Form SS-4s filed by Stripe Atlas will include the first and last name of one founder. They also may include that founder’s Social Security Number, depending on whether that founder has one.

Legalinc stores the final packets on S3, Amazon’s cloud object storage service. Legalinc generates a URL for the final packet, which it shares with us. We then download the packet from Legalinc, copy it to secure Stripe infrastructure, and present it to our users through their Stripe dashboard, which requires authenticating with their credentials.

At the time we integrated with Legalinc’s document storage architecture, Legalinc included a unique long unguessable string in the URL for each final packet. We considered this shared secret an adequate control to prevent unauthorized users from accessing the packets.

Degradation in document storage

Late in 2017, due to a programming error, Legalinc began generating S3 URLs which did not include the long unguessable string in the URL. The remaining part of the URL was sufficiently predictable such that seeing one company’s URL would allow one to predict other companies’ URLs. Stripe did not recognize that the URL’s structures had changed because our automated processes did not treat them as semantically meaningful.

A security researcher reported to Legalinc on December 4th, 2019 that they believed other companies’ URLs were potentially enumerable. Legalinc verified that this was the case and mitigated the issue by reintroducing unguessable shared secrets in URL generation, enabling AWS CloudTrail logging, and by rolling all affected URLs. Legalinc then informed us of this issue on December 11th.

We immediately worked with Legalinc to verify that their remediations were adequate, that the logs did not indicate ongoing speculative access of guessed URLs, and to scope out the potentially affected cohort of Stripe Atlas users. We narrowed the scope of the incident to users who had incorporated while the bugged code was generating URLs.

After we had identified the potentially affected subset of users, we coordinated with Legalinc to manually review all documents which had been possibly publicly available for sensitive information. This was, effectively, only those users who had had a Social Security Number of a founder on their Form SS-4. We then notified these users and provided for them to receive credit monitoring services at no cost to them.

As part of the incident remediation process, we will assist Legalinc in hardening their security practices.

We are sorry that there is a possibility that this bug may have disclosed user information.

We would have preferred to publish this root cause analysis earlier but were coordinating the appropriate level of user-facing communications and regulatory disclosures across the many places potentially affected Stripe Atlas users call home. This was exacerbated by it being, in many of those places, a holiday.