Skip to content

Shopify Bug Bounty

October 28, 2013

UPDATE: I have written a second blog post now following this.

Shopify recently announced their Bug Bounty program. And, I jumped onto the hunt as soon as it was launched. As I was informed by them, I was the second person to register for it.

This blog post is about what I reported, why they did not consider it as a valid finding then and now it looks like it has been fixed.

The bug I reported was on the page – https://<myshop>.myshopify.com/admin/settings/payments

Basically, on this page, an admin can change/edit/add settings related to the admin’s shop. There is one particular setting called “Customer Accounts” which looks like this:

2013-10-28 11_05_28-themes ~ Payments ~ Shopify

Now, if I were a shop admin, this is pretty self explanatory. If I choose “Accounts are required”, customers can ONLY check out if they have an account created for them by me. If they don’t have an account, they should not be able to check out. Right? We will come back to this later.

Let’s proceed to the finding:

1. Assuming the shop in question is <myshop>.myshopify.com, navigate to this site as an attacker.

2. View a product and add it to the cart. Click on the cart.

3. Proceed to checkout.

4. Notice that as per our setting above, the attacker is asked to authenticate before being allowed to checkout.

5. Observe that the URL looks something like this –

http://<myshop >.myshopify.com/account/login/xxxxxxxxxxxx?checkout_url=https%3A%2F%2Fcheckout.shopify.com%2Fcarts%2F<cart_no>%2F<cart_id>

6. Now, without authentication, directly navigate to the URL
https://checkout.shopify.com/carts/<cart_no>/<cart_id>/create_order

7. Notice that the attacker can now see the name, email address of a registered customer of the shop (the email address masked is the email address for the test1 user that was registered as a customer of this shop by the admin), a form to enter the billing address or choose from an existing billing address of the customer. The screenshot is attached below:

2013-10-28 11_32_28-Bypassing authentication-1.png - Windows Photo Viewer

So, this is what I reported. I feel disclosing information like name, email address and billing address of customers of a particular shop to an unauthenticated attacker is just unnecessary and exposes unwanted risk and more importantly, discloses information about the shop customers.

Now, I checked it today again and this is what I observed:

1. The URL in step 5 above now has an additional parameter called “sid”. I dont know what this is being used for but this was not present when I tested originally.
2. When I try to navigate to the URL mentioned in Step 6 above directly, I am not being redirected to the checkout page anymore. This was certainly not the case when I tested it.

This clearly shows that there were some changes made in the code base.

Below is what I received regarding my submission:

the customer account required is not intended to prevent the actions you outlined, just to make sure that an order is placed from an account.

I don’t understand how the above justification makes sense. If that functionality is just used to ensure that the order is placed from an account, why would you disclose account details like name, email and billing address to someone who is not even a customer of the shop?

Secondly, if that functionality is not intended to prevent the actions that I outlined, why does it say that? Am I just blind in reading what its supposed to do? Or, is it just to make the admins feel safe about their customers? I am confused here.

Needless to say, I did not get any credit for reporting this. And, now it looks like they have fixed it/made changes and this is not reproduce-able anymore. I am disappointed.

Advertisements

From → Security

6 Comments
  1. They are promoting their bug bounty through BugCrowd.com. Let BugCrowd know of this experience. If anything, they might remove them from the list if they are performing bad bug bounty practices.

  2. I already did that. They were trying to figure out their bug bounty process when I reported this. So, I understand why they must have not considered this a valid finding. But, it still is unacceptable, even more now because it appears to have been fixed. Re-tweeting this blog post link would be much appreciated. Thanks.

  3. Samuel Kadolph permalink

    Hey Anshuman, I’ve looked into the issue and it’s only reproducible if you’ve visited the checkout before and the only information exposed is your own. If you visit the checkout with a cart that has no customer info and your session is new you get redirected back to the storefront to log in.

    • Hi Samuel, as I mentioned, I was not able to reproduce it either when I tested it today. I am not sure what changes have been made in the code base but I definitely saw new parameters like sid that weren’t present before. I cannot say for sure if these changes have modified the behavior or not.

      Having said that, I did follow the same exact steps mentioned above when I first tested it and it worked. I was able to get the information about a registered customer even though the customer was not even logged in. I made sure I cleared all the cookies from the browser so that there were no previous session cookies in the browser.

      • Samuel Kadolph permalink

        The issue is still reproducible, we haven’t changed anything because we do not consider it an issue because you are only seeing your own information.

        1. Visit a storefront
        2. Add an item to your cart
        3. Copy the cart cookie value
        4. Visit checkout.shopify.com/carts/SHOP_ID/CART_TOKEN
        5. Observe that you get redirected to the storefront and asked to log in

        That happens if you have no session on checkout.shopify.com and the cart token does not have a customer account associated with it. If either of those conditions are not met (i.e. you have checked out before or you logged in on the storefront) then you see the email and name for the customer account you used previously.

  4. Hi Samuel,

    After reading your comment, I did some more digging. I have come up with a new attack vector that I will email shortly rather than writing it here.

    Thanks,
    Anshuman

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: