How I Earned $1750 at Shopify Bug Bounty Program

Introduction

This article is a write up on how I found a critical XSS vulnerability at Shopify Core in Shopify Bug Bounty Program due to which I was Acknowledged and listed in Top 10 at Shopify Hacker’s Hall of Fame in the World.

I wrote this for educational purposes only. Do not perform any illegal activity or pen-testing without permission.

Introduction to Cross-site scripting ( XSS )

Cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. It allows an attacker to circumvent the same-origin policy, which is designed to segregate different websites from each other. Cross-site scripting vulnerabilities normally allow an attacker to masquerade as a victim user, to carry out any actions that the user is able to perform and to access any of the user’s data. If the victim user has privileged access within the application, then the attacker might be able to gain full control over all of the application’s functionality and data.

Vulnerability exploitation

So my target was Shopify because they are very fast in response and resolving reports. I started surfing your-store.myshopify.com and I went to settings and found Login Services which was quite an interesting part.

I Enabled Google Apps for login to check what exactly happens when we give permission to Staff members to log in through Google.

Now we have Log in with Google option Enabled !!

Now My Favourite way to hunt such bugs is whenever I look at such options or links first thing that comes in my mind is Open Redirect !!

What is Open Redirect?

One of the most common and largely overlooked vulnerabilities by web developers is Open Redirect (also known as “Unvalidated…