Shopify: SSL cookie without secure flag set

2015-04-27T10:52:29
ID H1:58679
Type hackerone
Reporter blackpanther_pintoo
Modified 2015-07-13T19:10:32

Description

hello shopify security team,

I have found security vulnerability.

Vulnerable URL :- https://app.shopify.com/services/signup/track/

The following cookie was issued by the application and does not have the secure flag set: _signup_session_id=0875b12b680173807271e6c444a964e8; path=/; expires=Mon, 04 May 2015 10:41:46 -0000; HttpOnly

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

GET resquest :

GET /services/signup/track/?callback=jQuery11110798379517192883_1430131298047&https%3A%2F%2Fecommerce.shopify.com%2F=&signup_page=https%3A%2F%2Fecommerce.shopify.com%2F&_=1430131298048 HTTP/1.1 Host: app.shopify.com User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:37.0) Gecko/20100101 Firefox/37.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://ecommerce.shopify.com/ Cookie: _y=e9490629-96df-49fb-86d4-3bebd3c9d030; _s=0E3B332E-80EF-4F8F-AFAE; optimizelySegments=%7B%221587850080%22%3A%22ff%22%2C%221590330050%22%3A%22referral%22%2C%221587810109%22%3A%22none%22%2C%221589390078%22%3A%22false%22%7D; optimizelyEndUserId=oeu1430131148437r0.25686239854850346; optimizelyBuckets=%7B%7D; _signup_session_id=0875b12b680173807271e6c444a964e8; optimizelyPendingLogEvents=%5B%5D Connection: keep-alive

Response :

HTTP/1.1 200 OK Server: nginx Date: Mon, 27 Apr 2015 10:41:46 GMT Content-Type: application/javascript Connection: keep-alive X-Sorting-Hat-PodId: -1 X-Sorting-Hat-PodId-Cached: 0 X-Sorting-Hat-ShopId-Cached: 0 Vary: Accept-Encoding Status: 200 OK X-XSS-Protection: 1; mode=block; report=/xss-report/31ff8114-c9ed-40d0-8eec-f1235d91b64f?source%5Baction%5D=track&source%5Bcontroller%5D=services%2Fsignup&source%5Bsection%5D=other X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=315576000; includeSubdomains Set-Cookie: _signup_session_id=0875b12b680173807271e6c444a964e8; path=/; expires=Mon, 04 May 2015 10:41:46 -0000; HttpOnly X-Request-Id: 31ff8114-c9ed-40d0-8eec-f1235d91b64f P3P: CP="NOI DSP COR NID ADMa OPTa OUR NOR" X-Dc: ash Content-Length: 324

/**/jQuery11110798379517192883_1430131298047({"callback":"jQuery11110798379517192883_1430131298047","https:\/\/ecommerce.shopify.com\/":"","signup_page":"https:\/\/ecommerce.shopify.com\/","_":"1430131298048","host":"app.shopify.com","protocol":"https:\/\/","format":"json","action":"track","controller":"services\/signup"})

If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/ to perform the same attack.

The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.

thanks.. :)

Regards, Pratik Panchal