Webhook API security issue

A Webflow user can easily install a malicious (or just poorly written) integration that deletes all of the webhooks on their site. Thus breaking any other integrations they may have had installed.

First get all the webhook IDs

https://developers.webflow.com/#list-webhooks

Then iterate over the list and delete each one

https://developers.webflow.com/#remove-webhook

Note that as of today I've already seen this being abused.

  • Chris Spags
  • Sep 29 2020
  • Planned
  • Admin
    Webflow Admin commented
    June 28, 2021 15:17

    Thanks for the report. Confirmed that webhooks will be covered in our annual security review performed by external reviewers, so with that information, this item is going to be closed. Any flaws or security issues brought up will be dealt with swiftly.


    Next time that you suspect a bug or security issue please report it directly to support @webflow.com. Thanks again.



  • Faraz Khan commented
    November 07, 2020 08:28

    Webflow webhook has too many security flaws.
    1. Should definitely remove the webhook list api so that other integrations can not see it
    2. Should also have a way to authenticate on the server where the request is being sent to, so that the server knows where the request is coming from and if its a valid request or not

    Using the webhook listing api a third party integration can send invalid data to other webhooks

  • Hyphae Admin commented
    October 09, 2020 22:20

    what are you proposing as a solution? disable "list-webhooks"?