Hi , I have found a CSRF issue in themes.shopify.com when installing premium themes.
When going to a premium theme page for example: https://themes.shopify.com/themes/editions/styles/light/ there is a button saying
Preview in your store , clicking that button sends a POST request to
https://themes.shopify.com/themes/editions/styles/light/demo with an authenticity token to prevent CSRF , but going to the url
https://themes.shopify.com/themes/editions/styles/light/demo directly will get the theme installed without any validation for the authenticity token.
editionswill be installed in your shop
https://<your_store>.myshopify.com/admin/themesand you'll see the theme installed there.