Shopify

Hello team, on report #1370749 the reporter found that the preview link is not expiring. So when someone will gain access to the preview link, he can access it for whole life as the preview link remains the same even after changing the storefont password. I have reported the issue #1401525 where i am getting the preview link with a user with limited permission. But it was duplicate of #1370749, because on that fix , getting the storefont url couldn't be accessed later after changing the store password. The report #1370749 has been fixed and the fix worked properly now upon changing the storefont password the previous preview link is expiring. But i have found another endpoint where it is leaking the storefont preview url and the strange thing is , it is not expiring even after the password change for the store font. It is remaining static and we can access the store through that permanently. 1- Admin of https://shakti-jan2022.myshopify.com/ invites user-a with themes permission only. 2- from User-a visit https://shakti-jan2022.myshopify.com/admin/themes 3- Now check the http history in burp, you will find an request ``` POST /admin/online-store/themes?hmac=████&host=c2hha3RpLWphbjIwMjIubXlzaG9waWZ5LmNvbS9hZG1pbg&locale=en-IN&session=███&shop=shakti-jan2022.myshopify.com×tamp=1645562098&_signed_params=host%2Clocale%2Csession%2Cshop%2Ctimestamp HTTP/1.1 Host: shakti-jan2022.myshopify.com Connection: close Content-Length: 581 Cache-Control: max-age=0 sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="98", "Google Chrome";v="98" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "macOS" Upgrade-Insecure-Requests: 1 Origin: null Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-Dest: iframe Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: ████ appShellSessionToken=███████&appShellAttempts=1&appShellReason= ``` Now the response will be ``` HTTP/1.1 200 OK Date: Tue, 22 Feb 2022 20:35:06 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Sorting-Hat-PodId: 240 X-Sorting-Hat-ShopId: 62790336753 Vary: Accept-Encoding X-XSS-Protection: 1; mode=block X-Download-Options: noopen X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=63072000; includeSubDomains; preload Referrer-Policy: origin-when-cross-origin Content-Security-Policy: frame-ancestors https://shakti-jan2022.myshopify.com; default-src 'self' https://cdn.shopify.com https://cdn.shopifycdn.net; frame-src https://*; base-uri 'self'; object-src 'none'; img-src 'self' data: https://*; style-src 'self' 'unsafe-inline' https://cdn.shopify.com https://cdn.shopifycdn.net; font-src 'self' https://fonts.shopifycdn.com https://cdn.shopify.com https://cdn.shopifycdn.net; script-src 'self' https://cdn.shopify.com https://cdn.shopifycdn.net 'nonce-555f8cbe-fbc4-4125-9ae1-285b0bd06c9c'; connect-src 'self' online-store-web.shopifyapps.com https://notify.bugsnag.com https://burst.shopify.com wss://argus.shopifycloud.com https://shopify.s3.amazonaws.com monorail-edge.shopifysvc.com X-Dc: gcp-asia-southeast1,us-east1 X-Request-ID: d9d0bda6-b4bd-489b-9c3c-7384cbba086a X-Permitted-Cross-Domain-Policies: none CF-Cache-Status: DYNAMIC Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Server: cloudflare CF-RAY: 6e1affb60b3d8577-BOM alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Content-Length: 39792 Shopify