Stripe disclosed a bug submitted by bashcancare: https://hackerone.com/reports/1637761 – Bounty: $250 [Source]