Shopify: Missing authorization check on dashboard overviews

ID H1:93680
Type hackerone
Reporter shahmeer-amir
Modified 2015-11-10T22:24:59


Users with access to view each channel's Overview could view parts of the Home screen, and vice versa. We fixed the issue by correctly checking for each permissions separately on the relevant endpoints. This was a missing cookie based authorization check which allowed users with limited privileges to allegedly access the sensitive store information while having disallowed by the Administrator to do so. Using this attack a malicious store user could view/edit the store dashboard views