Shopify: [h1-2102] Break permissions waterfall

Summary: Shopify Plus User permission roles will propagate changes to all the users in the role Its possible to break this If you pass FULL along with other Pemrissions into a user role edit It will propagate to the users and give them full access while the role shows partial access Steps To...

Shopify: [h1-2102] Improper Access Control at https://shopify.plus/[id]/users/api in operation UpdateOrganizationUserTfaEnforcement

Summary: There is an access control issue that happens when a Shopify Plus user tries to update the 2FA requirement of a user in another organisation. While the response shows an error message, an email is sent to the user with the 2FA status, first name, last name, email address, and shop id fro...

Shopify: [h1-2102] Improper Access Control at https://shopify.plus/[id]/users/api in operation UpdateOrganizationUserRole

Summary: There is an access control issue that happens when a Shopify Plus admin tries to assign a role to a user in another organisation. While the response shows an error message, an email is sent to the shop admin with the first name, last name and email address of the user. Steps To Reproduce...

Shopify: CSRF on https://shopify.com/plus

Hello. To reproduce this CSRF, visit https://www.shopify.com/plus?insppingurln=https://example.com/%23 Will be sent this post request on example.com: POST https://example.com/ HTTP/1.1 User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64; rv:44.0 Gecko/20100101 Firefox/44.0 Accept: application/jso...