Shopify: CSV Excel Macro Injection Vulnerability in export list of current users -

ID H1:100667
Type hackerone
Reporter zombiehelp54
Modified 2015-12-01T21:06:58


Hi , I have found that when a user tries to Export list of current users who installed his apps through:<app_id>/export_installed_users the fields of the CSV file are not properly escaped. which makes them vulnerable to CSV Excel Macro Injection.


An attacker could change his shop name to a malicious function that executes malware on the user's PC. Since functions aren't escaped, the possibilities of using this can be limitless and can cause a severe impact. One example is having it execute malware on the user computer.

Steps to reproduce:

  1. Login to your partner account then go to and create a new app.
  2. Go to <your_store><app_api_key>&redirect_uri=<app_redirect_uri>&response_type=code&scope=read_products%2Cwrite_products                      where The <app_api_key> is the api key of the app you have created through the partner account and the <app_redirect_uri> is the redirect url of it.
  3. Now click Install app
  4. Go to <your_store> and change the store name to -2+3+cmd|' /C calc'!D2
  5. Go to<app_id>/ then scroll down and click the Export list of current users button . then A CSV file will be sent to your email , open that file and you'll see that the cell is active and the command will be executed.