- Title: XSS on $shop$.myshopify.com/admin/ and partners.shopify.com via a whitelist bypass in the SVG icon for sales channel applications.
- Reported by: Luke Young.
- Bounty rewarded: $5,000.
- Web application URL: https://*.shopify.com.
- Description: Shopify is an online e-commerce website that lets its users create online stores and shopping portals whether they want to do it in person, online, or on social media. Shopify contains one of the highest paid bug bounty programs on Hackerone.
- Shopify has an extension that allows different developers to create applications specifically for sales channels. There is an input parameter in that extension from which a user can upload images of icons in the following formats: JPG, GIF, and SVG. Luke identified that, in spite of having white lists on file extensions, SVG decoding is not properly implemented on that endpoint, which would allow malicious users to upload crafted SVG images, which in this case are the XSS payloads crafted in the SVG images:
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPEsvg [ <!ENTITY elem ""> ]> <svgonload="alert(document.domain);" height="16" width="16"> &elem; </svg>
The previous payload could be incorporated in an SVG image, which, upon upload, would be triggered on the Shopify partner's dashboard or any other Shopify store that has allowed access to the app. Upon saving the vector, it will be executed on partners.shopify.com and on any Shopify store such as $storename$.myshopify.com/admin/.
After crafting the payload, it is only a matter of convincing the victim of integrating the sales channel app into the victim Shopify store:
/admin/oauth/authorize?client_id=672a937d5eb24e10c756ea256c73bb8c&scope=read_products&redirect_uri=https://attackerdoma.in/93ba4bef-cff1-43b1-922d-0631bd387e2e.html&state=nonce
After the integration, the alert box will appear in the victim's dashboard. So, this vulnerability is an example of chaining an XSS with OAuth along with the element of a social engineer to accomplish the complete exploitation.