Hi , i have found a CSRF issue when activating PayPal Express checkout.
https://<your_store>.myshopify.com/admin/settings/paymentsand you'll see that PayPal Express checkout is already active , so click the edit button and deactivate it.
https://<your_store>.myshopify.com/admin/payments/complete_paypal_oauth/41and you'll see that PayPal Express checkout was activated and you'll get a message saying: Successfully activated your account.
I have been trying to link a malicious paypal email through this CSRF by using the following link:
https://<your_store>.myshopify.com/admin/payments/complete_paypal_oauth/41?verification_token=<PAYPAL_TOKEN> but it doesn't work.
This issue is a little bit confusing when being reproduced since it will only work on a store in which the admin never tried to activate PayPal before because if he did so , a
request token will be generated and will be validated for whenever the link is visited.
Please tell me if you are having an issue reproducing it and I will send you a PoC video.