Shopify: [CSRF] Install premium themes

ID H1:103351
Type hackerone
Reporter zombiehelp54
Modified 2016-07-27T18:52:19


Hi , I have found a CSRF issue in when installing premium themes.


When going to a premium theme page for example: there is a button saying Preview in your store , clicking that button sends a POST request to with an authenticity token to prevent CSRF , but going to the url directly will get the theme installed without any validation for the authenticity token.

Steps to reproduce:

  1. Go to then login with your store
  2. Go to and the theme editions will be installed in your shop
  3. To confirm go to https://<your_store> and you'll see the theme installed there.