Paid account can review\download any invoice of any other shop

From Hackipedia
Jump to: navigation, search
Hackerone #94899
Target: Shopify
Target Module:
Type: Authentication
Payload:
Original: Link
CVE:
Archive Screenshot


Shopify allows a user to export invoice PDF files from their admin portal for their shop using URLs like this:

https://myshop.myshopify.com/admin/invoices/1746632.pdf

The issue being that the invoice title "1746632.pdf" was vulnerable to incrementation to view invoices from other shops.

This is a simple bug that paid out $4k, so why was it not found before?

dvl took the time and effort to create a paid account on Shopify and then buy an item from his store to create an invoice record where he was able to find this attack. This extra effort proved worth while.

How To Perform

  1. Keep an eye out for Ids being used and attempt to increment/decrement the values and compare the response to known id responses
  2. Look for areas where other testers would have given up to get out of the low hanging fruit areas.