Shopify: Low privileged user can create high privileged user's KITCRM authorization token and can read and write message to KIT

Using the Shopify ping application a user can communicate with the kit. The kit is an application that creates tasks based on the information supplied through the Shopify ping app by a user. With a few quick messages to Kit using Shopify Ping, a user can create a discount code and promote it, sta...

Shopify: Stored XSS through Facebook Page Connection

The following URL https://kitcrm.com/users/122686/connections displays us options to connect our several social networking accounts to kitcrm. Once i connect my facebook account, the facebook section in above link will list out all my facebook page and will give me an option to select a business...

Shopify: Stealing users' facebook access tokens - kitcrm.com

Summary: I have found a number of minor security vulnerabilities with no impact that when chained together will lead to an attacker being able to steal the current user's facebook access token provided for kitcrm.com Description: - In kitcrm.com, users register with their shopify account and the...