Shopify: Stored XSS in [shop].myshopify.com/admin/orders/[id]

2017-03-17T00:21:07
ID H1:214044
Type hackerone
Reporter zombiehelp54
Modified 2017-03-28T21:01:59

Description

Hi, I have found a stored XSS vulnerability in [shop].myshopify.com/admin/orders/[id] in conversion details links, it's the same as #55842 but this one is through landing page URL not the referrer.

Steps to reproduce: 1. Navigate to [shop].myshopify.com/ 2. Modify _landing_page cookie value to javascript:alert(1) {F169421} 3. Add a product to your cart then complete the checkout process. 4. Login with an admin account then navigate to [shop].myshopify.com/admin/orders/[id] and click the link for The first page they visited and alert(1) will be executed. {F169422}

Impact: This is a customer-to-admin XSS, so an attacker can target admins to do malicious actions such as fetching the CSRF token and using it to submit a request to add himself as an admin to takeover the store.