Shopify: increased privileges on staff account

ID H1:911857
Type hackerone
Reporter jaka_tingkir
Modified 2020-08-24T16:05:40


staff on partners without a store management permit can have access to the collaboration shop

steps for reproduction

  1. Invite staff to partners without store management permission
  2. accept the invitation and the staff has become a member of the partner
  3. On the staff account, try to access the collaboration store that has been active with partners
  4. staff can enter and have permissions according to those owned by the partner account


gives staff unauthorized access to see anything in the collaboration shop