Shopify: Customer's full name disclosure via Shopify Chat (by email lookup)

By making use of the Shopify Chat Application, it is possible to retrieve a customer First Name and Last Name by providing its email. Steps to reproduce 1. Having a shop with Shopify Chat installed, open up https://shop.myshopify.com/?chat in Incognito mode 1. Click on I need an update on my orde...

Shopify: Order lookup features of Shopify Chat Application leads to customer orders enumeration due to lack of user input validation

It came to my attention that the Shopify Chat application allows a customer to retrieve its order status by only providing the order email and number. Noticing that it results in being provided the order status page link, I started playing a bit with both parameters and I found out that it is...

Shopify: Disclose customer orders details by shopify chat application.

Hello Shopify Security Team! Bug Summary: ============= This bug leads to disclose any store orders details including sensitive informations, through shopify chat app. the chat app can retrieve the orders details for unauthorized user. Reproduction steps: ============= - install shopify chat...

Shopify: Stored XSS in Shopify Chat

1.install app Shopify Chat 2.Click chat on the shop homepage or Shopify Ping to send poc javascript:alert1//https://dqdqdqdqdq.myshopify.com 3.Click url, alert F657395 Impact 1.Front end user Self-XSS 2.Administrator XSS foreground user...