Shopify trade platform facing RFD attacks, and not fix-bug warning-the black bar safety net

ID MYHACK58:62201567635
Type myhack58
Reporter 佚名
Modified 2015-10-08T00:00:00


WebSegura researcher David Sopas found a reflection type file name download RFD)vulnerability, the vulnerability exists in the popular multi-channel trade platform Shopify, although he has to Shopify company sent a safety report, but it seems that the company did not find the vulnerability of the importance. Vulnerability details Shopify is a multi-channel trading platform, it helps people to make online sales, store sales, and a combination of both sales. WebSegura of the famous security researcher Davis Sopas in the Shopify service, found a reflection type the file name contained the vulnerability. Sopas has to Shopify to send a copy of the security report, which explained that the vulnerability does not require any authentication such as access token, API key, and even Shopify account to. The reflection type file name contains a vulnerability affecting app. shopify. com service. The expert explained that in IE9 and IE8 browser browse the following link, it will display a Download dialog box, and provide a named track. bat file. If the user running this batch file, it will run the Google Chrome browser, and open a malicious Web page, in this particular case, the store just display some text information, but it is clear that a malicious attacker be able to use it for malicious activities. Sopas found for other browsers such as Chrome, Opera, Firefox, Android browser and Android version of Chrome the latest browser, the user needs to access a web page, the web page by using HTML5 attributes to force a download: ! Sopas in a blog post stated: “When the victim visits a specially crafted contains the Code of the page, if the victim clicks on the image, then it will display a Download dialog box after the download is complete, it will prompt the files from Shopify Server.” This reflection type the file name of the carrier attack is very hidden, because victims usually do not feel that they have become the hacker target of the attack, and they receive the malicious file appears to be from a trusted source available for download, in this example is the Shopify website. ! ! Be able to recover a possible attack scenario is as follows: 1, the the attacker to the victim is sent a link that seems to contain CSRF, orXSS - network phishing activities, social networking sites, Instant Messaging, E-mail, and so on. 2, the victim clicks on the link, because they believe Shopify as the download source of security, and then download the file. 3. Once the file is executed, then the victims will be hijacked. Sopas criticized the Shopify company handling the vulnerability the way he think Shopify companies underestimate the security issues, this can be done by Sopas release of the timeline view. Vulnerability timeline 2015-03-19 will the security issues reported to the Shopify。 2015-03-27 no reply, so I asked for the update. 2015-04-06 first contact Shopify, they reply is being processed. 2015-04-15 Shopify told me that this is an interesting security issue, and requesting more information. 2015-04-15 I send more information and POC. 2015-05-04 I asked for updates, no reply to. 2015-06-15 I asked for another update, no reply to. 2015-09-16 I asked for another update. 2015-09-22 from the 4 months since, did not receive Shopify any mail, they reply that it is busy to fix more pressing problems, and to think I raised this issue of impact is small, the priority is low. 2015-09-23 I tell them this is not a social engineering problem, but they still do not understand. 2015-09-23 Shopify told me that their priority is not yet to the discussion, and not immediately patched the vulnerability.