Shopify: Paid account can review\download any invoice of any other shop
2015-10-20T20:15:09
ID H1:94899 Type hackerone Reporter dvl Modified 2015-10-22T20:44:39
Description
Hi Shopify Team
I would like to report serious security issue within admin panel of Paid Myshopify account
Paid Customer [after been detached from Development account and valid payment detailes entered] able to review any other invoice, issues to any other client, and download it.
In web variant of invoice, financial details revealed.
In PDF variant - address of web shop, owner's email and all billing information [name\address\money amount etc] disclosed
POC:
1. Authenticate in Paid [not Developer] Shop as Shop Owner
2. Go to invoices and alter url by changing invoice number at the end of URL:
Please note, that due to limitation of Developer's account, this test cannot be performed on Dev store.
I also prefer do not attach any screenshots or files, since it will be violation of valid customer's privacy.
If anyway more details needed - please feel free to contact me here for more POC details.
Regards
dvl
{"lastseen": "2018-07-30T14:12:04", "references": [], "bounty": 4000.0, "h1team": {"handle": "shopify", "profile_picture_urls": {"medium": "https://profile-photos.hackerone-user-content.com/000/001/382/30421c25f4a7b03ec3250e36efb64f7291402806_medium.jpg?1532728703", "small": "https://profile-photos.hackerone-user-content.com/000/001/382/1e9872bf9cfe04008c2673e07bfecaa83858cca1_small.jpg?1532728703"}, "url": "https://hackerone.com/shopify"}, "bountyState": "resolved", "description": "Hi Shopify Team\nI would like to report serious security issue within admin panel of Paid Myshopify account\nPaid Customer [after been detached from Development account and valid payment detailes entered] able to review any other invoice, issues to any other client, and download it.\nIn web variant of invoice, financial details revealed.\n**In PDF variant - address of web shop, owner's email and all billing information [name\\address\\money amount etc] disclosed **\n\nPOC:\n1. Authenticate in Paid [not Developer] Shop as Shop Owner \n2. Go to invoices and alter url by changing invoice number at the end of URL: \n\n hxx0s://myshop.myshopify.com/admin/settings/account/invoice/1746632\n\n 3. To download PDF and review other paid user's data, use link:\n\n hxx0s://myshop.myshopify.com/admin/invoices/1746632.pdf\n\nPlease note, that due to limitation of Developer's account, this test cannot be performed on Dev store. \nI also prefer do not attach any screenshots or files, since it will be violation of valid customer's privacy.\nIf anyway more details needed - please feel free to contact me here for more POC details.\nRegards\ndvl", "reporter": "dvl", "published": "2015-10-20T20:15:09", "type": "hackerone", "title": "Shopify: Paid account can review\\download any invoice of any other shop", "enchantments": {"score": {"value": 0.4, "vector": "NONE", "modified": "2018-07-30T14:12:04", "rev": 2}, "dependencies": {"references": [], "modified": "2018-07-30T14:12:04", "rev": 2}, "vulnersScore": 0.4}, "h1reporter": {"disabled": false, "hacker_mediation": false, "hackerone_triager": false, "is_me?": false, "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/000/018/725/3242bf7d1ea45a7f9ad2f0f42af8feb746e8f4bb_small.jpg?1426071754"}, "url": "/dvl", "username": "dvl"}, "bulletinFamily": "bugbounty", "cvelist": [], "modified": "2015-10-22T20:44:39", "id": "H1:94899", "href": "https://hackerone.com/reports/94899", "viewCount": 2, "cvss": {"score": 0.0, "vector": "NONE"}}
