Shopify: CSRF token fixation in facebook store app that can lead to adding attacker to victim acc

ID H1:55911
Type hackerone
Reporter defmax
Modified 2015-06-25T20:05:05


hey guys

i just found an csrf token fixation in facebook store app which is an offical shopify app

link >>

The CSRF bug which connects attacker's Facebook account to victim's shopify account. This is done by exploiting 'Connect with Facebook' function.

When using 'Connect with Facebook' function. A request is sent to facebook to authorize the shopify app. After authorizing a 'access token' is sent in response which shopify app verifies and connects the account. the verification is done by csrf token "state parameter "

here state parameter is getting fixed here

1st oauth request

then when it autorized , we will get this get !

now how many times you autorize the state parameter will be same ! once the attacker gets state parameter by xss or any method , he can make csrf lifelong posible

exploit code

<html> <body> <a href=[[attacker_token ]&state=c2f449f2df5ee64df6173702846bce72e3a57319#_=_> </body> </html>

hope this bug will be fixed soon