Webhook API security issue

A Webflow user can easily install a malicious (or just poorly written) integration that deletes all of the webhooks on their site. Thus breaking any other integrations they may have had installed.

First get all the webhook IDs

https://developers.webflow.com/#list-webhooks

Then iterate over the list and delete each one

https://developers.webflow.com/#remove-webhook

Note that as of today I've already seen this being abused.

  • Chris Spags
  • Sep 29 2020
  • Planned
  • Admin
    Webflow Admin commented
    28 Jun, 2021 03:17pm

    Thanks for the report. Confirmed that webhooks will be covered in our annual security review performed by external reviewers, so with that information, this item is going to be closed. Any flaws or security issues brought up will be dealt with swiftly.


    Next time that you suspect a bug or security issue please report it directly to support @webflow.com. Thanks again.



  • Faraz Khan commented
    7 Nov, 2020 08:28am

    Webflow webhook has too many security flaws.
    1. Should definitely remove the webhook list api so that other integrations can not see it
    2. Should also have a way to authenticate on the server where the request is being sent to, so that the server knows where the request is coming from and if its a valid request or not

    Using the webhook listing api a third party integration can send invalid data to other webhooks

  • Hyphae Admin commented
    9 Oct, 2020 10:20pm

    what are you proposing as a solution? disable "list-webhooks"?