Shopify: Redirect in adding advance cash on delivery app

ID H1:188266
Type hackerone
Reporter ashish_r_padelkar
Modified 2017-06-27T16:46:55



When you install Advance Cash on delivery App in your shop, it takes you to the url




Here, return_url can be used for redirection.

So if any shop which has this app installed but not yet activated, attacker can just send the above url to the victim by just changing the shop name in the url to the victim's shop name and return_url with some malicious url . api_key will remain the same.



  1. Lets assume a victim Shop with Advance cash on delivery app installed but not activated yet

  2. Send the url https://<YourShop> to the victim.

  3. On click of Activate button, victim will be redirected to

Thanks & Regards Ashish