Shopify: Bypass access restrictions from API

ID H1:67557
Type hackerone
Reporter supernatural
Modified 2015-09-18T19:44:41


This issue allowed users with limited access to login into a Shopify Mobile application, capture their own access token, and perform queries against Shopify's API in order to create new users with full access, or delete other users.

An additional issue was reported, where users with no access could view the complete list of users in the Shopify store, and although no sensitive information were being shown, we changed the access restriction for the users endpoint to match that of the web interface. Bypass admin users permission model with API call Allowed limited access admin to gain Full Access