How I made $500 from Shopify Story of a privilege escalation Bug

Hi dear Followers


Shopify launched their bug bounty program HackerOne 


This Post is about the bug on Shopify. This is a bug about privilege escalation of invited users any users who have full access to shop can also claim the accounts of invited users and can use it for spoofing against shop owner and the users who is invited there.
There are two options to invite a users 
1. First shop owner can invite them and the invited users will receive a link on their email address after clicking on the link users can create their account 
2. Shop owner can create the account on their behalf then provide them the email and password.
and one more thing only shop owner can invite users 

Now the second option can only be done by that person who is the shop owner.

Suppose there are three users A,B,C A is shop owner and B is a user that have the full access to the shop C is a user that is invited by A now B logs into his account navigate to Setting>general and invited users link the invited users C links looks like this

C- Invited

 Now click on invited and B can create account on the behalf of user C. After creating an account on behalf of C shop owner A setting will show him that the account has been claimed by users he invited which is C.

Now B can use C account for doing malicious things to shop and shop admin will think that this has been done by C. 

And this is privilege escalation for C and also for the shop owner because as I described before only shop owner can invite and create account on the behalf of invited users.

Now they fixed the bug that only Shop owner can access the user invited and joined tab on their shopify account

Shopify awarded me a bounty of $500 for reporting this bug.

Hope you enjoyed this post 

Feel free to comment and question are welcome

Thanks 

Jitendra K Singh and Whole Computer Korner and I-HOS team.

Feel Free To Leave A Comment If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!