On October 5th, 2015, a security researcher named Dhaval Chauhan reported a vulnerability in Shopify's code.
This vulnerability affected the application, after the user was logged into the application. Then, there are two possible consequences.
The first consequence is related to the following URL:
http://ecommerce.shopify.com/accounts?found_email=true&return_to=.mx%2F&user%5Bemail%[email protected]
Once the user enters their email in the URL, they are redirected to the Mexican site, which is determined by the mx value in the return_to parameter. This parameter can be manipulated, allowing us to redirect the user to other extensions in the domain, or to complete different domains to steal their data.
The other possibility is in the same module, but with the following URL:
https://ecommerce.shopify.com/accounts?return_to=////testsite.com
In this case, the return_to parameter is used to redirect the user to another section in the same application, but it is possible to use it to redirect the user to a completely different site.