Shopify: [] Invalidated redirection

ID H1:175168
Type hackerone
Reporter shailesh4594
Modified 2016-12-04T15:57:02



Endpoint :[victim_shop]

Suppose, victim has not linked his shop with portal then an attacker can redirect him on an external website after linking or rejecting.

Steps to reproduce :

  1. Get logged in as admin in your shop and
  2. Open this link :[your-shop]
  3. If you are logged in then Link These Accounts button and No thanks link will be shown.
  4. Click on Link Account button or No thanks link.
  5. You will be redirected on instead of
  6. Done

Again, your shop should not be linked to

Suggested Fix : Use more stronger regular expression at this endpoint

Best regards, Shailesh