Shopify: Cookie securing your "Opening soon" store is not secured against XSS

ID H1:100956
Type hackerone
Reporter jurajk
Modified 2015-12-01T22:39:11


PoC: 1) Protect your e-shop with a password (Storefront password) 2) Go to your e-shop URL and enter the password to access the store 3) There is a cookie created - name: storefront_digest - this cookie contains the password (in a secure way) which protects your store 4) This cookie is not marked as HttpOnly, so if there is e.g. XSS, anyone can steal this cookie 5) With this cookie anyone can access your "Opening soon" e-shop, even if he doesn't know the password

Before you answered I would like to confirm that I read shopify terms and: 1) I don't care about he password strength. It is not important in that case 2) I am pretty sure that this cookie - storefront_digest - is a sensitive cookie since by stealing this cookie you can access resources you shouldn't be able to...

Thank you.