Shopify: Open redirect allows changing iframe content in *<id>/editor

ID H1:165046
Type hackerone
Reporter zombiehelp54
Modified 2016-09-22T17:04:13


Hi ,

I managed to bypass the fix you deployed to the issue I reported in #159522. Apparently this is what the fix does:

  • Redirecting to<exact_store_id> / only is allowed.
  • For example:<victim_store_id>/ will work

  • but<attacker_store_id>/ won't work

  •<store_id> no longer follows the 302 redirect rules added in the admin dashboard.

Redirect bypass:


Note that 14467660 is the attacker's store id.

The 302 redirect no longer works , but the attacker can still inject any HTML/JavaScript code in his store's 404 page that will redirect to any domain he wants.

Change theme editor iframe content:

Here is the PoC: https://<your_store><theme_id>/editor#/account/logout?return_url=<your_store_id>/../14467660