This report demonstrated that an admin user without having corresponding resource permissions can reveal summary of resources by adding a reference to the resources (products, orders, inventory etc) in timeline comments. This can be achieved by posting a comment [#O3103227907|foobar] which reveals summary of the order in the comment.
Hi Team ,
Note : I have reported multiple issues related to information which were closed a N/A due to some information lack. But this issue will look similar by title but it's different then other issues. Before testing anything i have insured that all other permissions are limited for the account so by any way he should not be able to get these information.
Description : Any staff member with limited access can view the details of it's limited area.
Ex: If staff member have limited access to orders , He can still view orders. If he has limited access to customers , he can still view customers details like name, email etc.
This can be possible by comment section in products ,orders etc. In comment section you will see the # sign by which you can refer any page. Now you won't have access to the pages where your access is limited. Suppose you have access to products but no access to orders. When you will see # sign you can only find pages of products but you won't find the order related pages.
Now while commenting you need to add the ID of that order and you will be able to see details of that order in the comment .
Steps to reproduce :
Let's say a staff member has limited access to products and orders but he has access to products.
*Access details : No access to order, order_creation, customers , reports ,discount etc.
So this is how any user who has limited access to any feature can access it by this method.
suppose a staff member have limited access to orders , draft_order and customers then he should not be able to access these information.
HTTP request Modified :
POST /admin/transfers/774529/timeline_comments HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------191772538514734
Content-Disposition: form-data; name="timeline_comment[body]"
I changed product ID to order ID here. In the timeline_body you have to add order ID to get the order details. If you want to retrieve the customers details you need to add the customer ID in the following format : [#C3502872769| anyword]
Here you will be able to get the email address ,name and profile photo of the customer.
If any shopify owner wants to hire a expert in such a way that he should not be accessing customer details, orders ,order_creation and related items then staff member should not access these things from any where. But by this way the staff member can get access to all these information.
Let me know of you need any other help from my side to reproduce this issue. I can provide VIdeo POC if needed.
Best Regards !