Endpoint : https://ecommerce.shopify.com/auth/shopify?shop=[victim_shop].myshopify.com&return_to=/////example.com
Suppose, victim has not linked his shop with ecommerce.shopify.com portal then an attacker can redirect him on an external website after linking or rejecting.
Steps to reproduce :
- Get logged in as admin in your shop and ecommerce.shopify.com
- Open this link : https://ecommerce.shopify.com/auth/shopify?shop=[your-shop].myshopify.com&return_to=/////example.com
- If you are logged in then Link These Accounts button and No thanks link will be shown.
- Click on Link Account button or No thanks link.
- You will be redirected on https://example.com instead of ecommerce.shopify.com
Again, your shop should not be linked to ecommerce.shopify.com.
Suggested Fix : Use more stronger regular expression at this endpoint