Shopify: Bypass of biometrics security functionality is possible in Android application (

ID H1:637194
Type hackerone
Reporter tems
Modified 2019-08-14T13:08:47



Shopify Android App has an option to sign in to the app using fingerprint. But if the application was open and someone triggers a "deeplink", authentication is no longer required.

Step to Reproduce

{F523700} Link: Shopify Help Center - Topics - Products

NOTE¹: The application must be open when triggered NOTE²: It is also possible via ADB and Java (Android App): adb shell am start -n -d '' java Intent intent = new Intent(); intent.setClassName("", ""); intent.setData(Uri.parse("")); startActivity(intent);

My environment information: {F523698} {F523699}


Unauthorized access to use the application.