Read access to hidden orders,products,customers etc. by limited access Staff member through reference page in Comments (Information disclosure )
State Resolved (Closed)
Disclosed publicly 2018-12-06T15:04:05.384Z
Reported To
Weakness Improper Authentication - Generic
Bounty $500
Collapse

Summary by vijay_kumar1110

This report demonstrated that an admin user without having corresponding resource permissions can reveal summary of resources by adding a reference to the resources (products, orders, inventory etc) in timeline comments. This can be achieved by posting a comment [#O3103227907|foobar] which reveals summary of the order in the comment.

Timeline
submitted a report to Shopify .
2016-07-27T17:41:29.157Z

Hi Team ,

Note : I have reported multiple issues related to information which were closed a N/A due to some information lack. But this issue will look similar by title but it's different then other issues. Before testing anything i have insured that all other permissions are limited for the account so by any way he should not be able to get these information.
Description : Any staff member with limited access can view the details of it's limited area.
Ex: If staff member have limited access to orders , He can still view orders. If he has limited access to customers , he can still view customers details like name, email etc.
This can be possible by comment section in products ,orders etc. In comment section you will see the # sign by which you can refer any page. Now you won't have access to the pages where your access is limited. Suppose you have access to products but no access to orders. When you will see # sign you can only find pages of products but you won't find the order related pages.
Now while commenting you need to add the ID of that order and you will be able to see details of that order in the comment .

Steps to reproduce :
Let's say a staff member has limited access to products and orders but he has access to products.
*Access details : No access to order, order_creation, customers , reports ,discount etc.

  1. Now open any transfer from product menu and and you will see the comment section where you will see the # sign by which you can refer any page of orders,products,customers etc.
  2. When you will click on this # you will notice that it will only show the products related reference pages. But it won't show the orders and customers pages because of your access issue. It means you don't access to it and you can't refer these pages.
  3. Now put any product page and add some comment to it and save it. Intercept this request and change the product ID to order ID and the order details will be posted.Instead of order ID if you put customer ID , you will get the customers name and it's email address.

So this is how any user who has limited access to any feature can access it by this method.

POC :

suppose a staff member have limited access to orders , draft_order and customers then he should not be able to access these information.

HTTP request Modified :

POST /admin/transfers/774529/timeline_comments HTTP/1.1
Host: vijaygangani1110store.myshopify.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
X-CSRF-Token: RZIoZCcT7SGMNDwD6wl0gHzb1ACcOm1uSXy/NbItuXwQr/95Jzg+24HCWIM4Wzc0Z/F76VYd4iuPF1jj7X0zrQ==
X-Requested-With: XMLHttpRequest
Referer: https://vijaygangani1110store.myshopify.com/admin/transfers/774529
Content-Length: 187
Content-Type: multipart/form-data; boundary=---------------------------191772538514734
Cookie:[cookie_values]
Connection: keep-alive

-----------------------------191772538514734
Content-Disposition: form-data; name="timeline_comment[body]"

[#O3599995137|Order #1005]
-----------------------------191772538514734--

I changed product ID to order ID here. In the timeline_body you have to add order ID to get the order details. If you want to retrieve the customers details you need to add the customer ID in the following format : [#C3502872769| anyword]

Here you will be able to get the email address ,name and profile photo of the customer.

Impact :
If any shopify owner wants to hire a expert in such a way that he should not be accessing customer details, orders ,order_creation and related items then staff member should not access these things from any where. But by this way the staff member can get access to all these information.

Let me know of you need any other help from my side to reproduce this issue. I can provide VIdeo POC if needed.

Best Regards !
Vijay Kumar

Regards,
Frans

  • 0 attachments:
Activities::Comment
2016-07-27T17:41:29.485Z
Thank you for reporting this bug! This is an automated response to let you know that we've received your issue, and we'll process it as soon as possible. Our team is busy triaging and fixing HackerOne reports, and it may take us up to 1 week (or more) to triage any given issue. Don't worry, we'll get to yours! While you are waiting, you can read over our list of non applicable issues listed on our program page: https://hackerone.com/shopify. Make sure your issue isn't listed!


clayton Activities::BugTriaged
2016-07-29T16:07:04.508Z
Thank you for your report. Our engineering team is investigating the issue.


vijay_kumar1110 Activities::Comment
2016-08-20T02:41:56.275Z
@clayton : Can i get any ETA to Resolve this issue ?


clayton Activities::Comment
2016-08-21T14:05:51.048Z
Unfortunately we can't provide ETAs. Thank you for your patience.


vijay_kumar1110 Activities::Comment
2016-10-11T18:20:20.104Z
@clayton : It's been 3 months i have reported the issue but still no resolution for this one. I request you to Update me the status of the issue and let me know if you need any help from my side. Best Regards ! Vijay Kumar


clayton Activities::Comment
2016-10-11T18:55:10.875Z
We are still investigating this, and will contact you when we have an update. Thank you for your patience.


vijay_kumar1110 Activities::Comment
2017-02-01T18:00:12.052Z
@clayton : Hope you are good ! It's been 6 months i have reported this issue and asked for update 2 times . Both the times i got response saying that we are still investigating this issue and we'll update you when you will have more information about it. I have reported many issues earlier and i got response and resolution very fast but this report has been pending for past 6 months . I would request you to look at this issue and resolve it ASAP or provide me any update regarding this. Let me know if you need any other help from my side . Best Regards ! Vijay Kumar


vijay_kumar1110 Activities::HackerRequestedMediation
2017-02-16T12:54:43.440Z
It's been 6 months to this issue. Still the issue is not resolved and bounty hasn't been awarded. Not getting any response of my comment. Kindly Resolve the issue ASAP and let me know if you need any help from my side. Best Regards ! Vijay Kumar


clayton Activities::Comment
2017-02-16T14:18:03.930Z
@vijay_kumar1110 We still plan to resolve this issue, however we cannot guarantee a timeline. Issues are resolved based on priority, and there are other more urgent issues that need to be resolved first. Our policy is to award a bounty only after an issue is resolved, so unfortunately you'll have to wait a while longer until this is fixed. Thank you for your patience.


oauth Activities::BugResolved
2017-06-14T20:12:52.341Z
Thanks again for your report! This issue is resolved. Our next round of bounty decisions will take place within two weeks, so we will be in touch with you again soon.


Activities::BountyAwarded
2017-06-19T19:27:40.564Z
Thanks for helping improve the security of Shopify!


vijay_kumar1110 Activities::AgreedOnGoingPublic
2017-07-18T20:44:09.652Z
Can we disclose this please !!


shopify-peteryaworski Activities::AgreedOnGoingPublic
2018-12-06T15:04:05.301Z


shopify-peteryaworski Activities::ReportBecamePublic
2018-12-06T15:04:05.411Z