Is is a security issue that Paypal uses dynamic certificate to verify webhook notification?

Question

Refer to the documentation of the Paypal API at https://developer.paypal.com/api/rest/webhooks/

It says that the certificate to verify the signature comes from a header PAYPAL-CERT-URL of the HTTP request, so wouldn't the attacker bypass the verification by giving a certificate of the attacker's own?

Answer 1

Potentially. But the <webhookId> is not known by an attacker. This is only obtained when you create/register the webhook, or in the developer.paypal.com dashboard. It is not the event id.

So it shouldn't be necessary since that 17 digit id isn't something they can spoof to create a body that will pass checksum signature validation; but if you're still concerned about the PAYPAL-CERT-URL, you could restrict it to ones from domains *.paypal.com and *.paypalobjects.com