Skip to content

Shopify Bug Bounty – 2 (contd. from the last one)

October 28, 2013

I wrote a post about my experience with the Shopify Bug Bounty program yesterday.

Soon after that, folks from Shopify commented on that post saying that it is still reproducible and that they did not change anything in the code and that it is still not considered a valid finding.

After further investigation, I tried to reproduce it again and was able to do so successfully. I realized what I was doing wrong and how I reproduced it in the first place. In the process of doing so, I realized a different attack vector which I hadn’t thought of earlier. I still think this is an issue but the folks at Shopify don’t seem to agree with me.

So, this is what happens during the checkout process:

1. When a customer (C) proceeds to checkout, he is asked to authenticate into the website. This is because the shop admin had the setting where only registered customers would be able to check out. The URL looks like this – http://<myshop >.myshopify.com/account/login/xxxxxxxxxxxx?checkout_url=https%3A%2F%2Fcheckout.shopify.com%2Fcarts%2F<shop_id>%2F<cart_token>

 

Screen Shot 2013-10-28 at 10.59.47 PM

 

2. After authenticating, the cart_token or the cart_id gets associated with that customer (C) and the shop. The customer C is then redirected to the URL https://checkout.shopify.com/carts/<shop_id>/<cart_token>.  This is the key step. The customer has to authenticate to the shop at least once in order for this attack to work. As we will see from the steps below, this is trivial. The attacker doesn’t have to trick a user to authenticate.

 

3. After authenticating, lets assume that the customer decides that he does not want to shop anymore and he simply closes that browser. No matter how tech savvy this customer is, he is left with no choice but to close the browser because there is no logout option on that page. 

Attack Vector 1 – If the customer is shopping on a shared workstation, an attacker comes to that workstation, reopens the browser, looks through the browser history and navigates to the above URL. Boom, all the information is right there.

Attack Vector 2 –  Since there is no session associated with this request, there are no session cookies either. All the attacker needs is the URL. And, he can navigate to it from a different computer all together and access the information.

Once, the attacker navigates to the above URL, he is directly taken to the checkout page of the customer C where he can see the customer’s email address (masked below) and his billing address. The attacker simply enters his shipping address and continues to next step.

 

Screen Shot 2013-10-28 at 11.06.14 PM

 

4. On the next step, the attacker chooses one of the many options of payment. Since, he would not want to use his own credit card, he chooses Bank Deposit and Completes the purchase.

 

 

Screen Shot 2013-10-28 at 11.30.04 PM

 

5. And, its done..

 

Screen Shot 2013-10-28 at 11.32.21 PM

So, the attacker was able to successfully place an order to be shipped to his address without entering any credit card details.

 

Thoughts:

The folks at Shopify replied back with the following:

“First, this is no different from someone forgetting to log out of any other site, there’s not much we can do here (it’s the user’s responsibility to protect their account, just like any other site). Secondly, keeping the person logged-in is not a bug, it’s the expected behaviour. The purpose of logging in before placing an order isnot to store payment information, which greatly reduce the risk of forgetting to log out. An attacker who “find” an active session from another user would still have to pay for that order with a valid credit card which is what we really want to protect here (credit card information).”

 

First, this is no different from someone forgetting to log out of any other site, there’s not much we can do here (it’s the user’s responsibility to protect their account, just like any other site)

I am not sure how other e-commerce sites (eg Amazon) implement shopping carts but this one is definitely weird.

Why isn’t there a logout option on the checkout page once the customer is authenticated? As I mentioned earlier, even if the customer wants to logout, there is NO LOGOUT option on the checkout page. If there was this option and the customer still decides to close the browser, I can see what they are trying to say. But, providing this logout option on the checkout page can definitely help. On logging out, it can be used to disassociate the cart_token so that it cannot be used by the attacker in the future.

 

Secondly, keeping the person logged-in is not a bug, it’s the expected behaviour. 

I understand. But, does this mean that disclosing information like the email address and billing address of customers is also expected? I don’t think this is the case with other e-commerce websites. Aren’t we supposed to protect customer’s privacy as much as we can?

 

The purpose of logging in before placing an order isnot to store payment information, which greatly reduce the risk of forgetting to log out. An attacker who “find” an active session from another user would still have to pay for that order with a valid credit card which is what we really want to protect here (credit card information).”

I just showed how its possible to place an order without entering any credit card information. The money order option can be chosen as well and it will result the same. Now, I dont know how the bank deposit and money order options are supposed to be setup in the admin console, but the attacker definitely does not require any of that information to place an order.  It is good in a way that the customer’s credit card details are not populated like his email and billing address, but that doesn’t mean that it reduces the risk.

 

I would like to know what you guys think about this. I have spent a lot of time thinking this through. I haven’t seen a lot of e-commerce websites out there so I am not sure if this is something that is acceptable or not.

 

Thanks.

Advertisements

From → Security

3 Comments
  1. Abhisek permalink

    As far as placing the order is concerned, I don’t think its much of a security threat (But Revealing personal information is). If you are choosing Bank deposit option, I’m sure the process would be that the goods would be shipped once the user deposits money to the company’s bank account. So no monetary loss of the company.

    Secondly keeping a user logged in, is their choice. But I do agree that there should be some way to logout of the website other than clearing my cookies and browsing history.

  2. Dean permalink

    Doesn’t the “Sign in as a different user” link on the checkout page log you out? I can see this link in your screenshot. The logout link seems to be on all other pages too.

    I don’t think there’s any saved payment details associated with customer account either. The bank transfer option just means that the store owner will wait for a bank deposit before shipping the product.

  3. Dean – good point. I didnt try “Sign in as a different user”. Maybe it does. But, Shopify folks never indicated that it did so I am guessing it does not unless you have tried it. And, yes the logout option was there on most of the other pages. That’s why I was wondering why it is not there after logging in. That’s the most obvious place I would expect it to see i.e. after you log in. I still don’t get it.

    It is very convenient for everybody to say “it is upto them to implement it or not” but when you think about it, the more control we give to the end user, the more he is going to screw it up. We should rather try to make them follow good practices and not rely on them. This is the stupidest excuse I’ve heard so many times now that “they cant control what the end user does”. Just because it involves effort and time and people to write that extra line/lines of code doesn’t mean you start justifying by saying that it is not exploitable or the risk is low or this or that. Freaking if you don’t want to get hacked, do the right thing.

    I did not investigate anything with respect to the bank transfer and not sure how that flow works. I gave up once they came back with the above reasoning. No point wasting my time on something that they dont care about or dont consider worth fixing.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: