Hi , I have found that when a user tries to Export list of current users who installed his apps through:
https://app.shopify.com/services/partners/api_clients/<app_id>/export_installed_users the fields of the CSV file are not properly escaped. which makes them vulnerable to CSV Excel Macro Injection.
An attacker could change his shop name to a malicious function that executes malware on the user's PC. Since functions aren't escaped, the possibilities of using this can be limitless and can cause a severe impact. One example is having it execute malware on the user computer.
<app_api_key>is the api key of the app you have created through the partner account and the
<app_redirect_uri>is the redirect url of it.
<your_store>.myshopify.com/admin/settingsand change the store name to
-2+3+cmd|' /C calc'!D2
https://app.shopify.com/services/partners/api_clients/<app_id>/then scroll down and click the
Export list of current usersbutton . then A CSV file will be sent to your email , open that file and you'll see that the cell is active and the command will be executed.