Customer account takeover in Shopify stores


During the recent Ambassador World Cup held by HackerOne, we identified an account takeover vulnerability in Shopify affecting a subset of Shopify’s Shop users. A successful exploit would have allowed attackers to takeover accounts of Shop’s users in public Shopify stores allowing access to order history and shipping addresses. Shopify recently introduced Shop Pay within the Shop application. Shop Pay allows users to easily purchase items in most Shopify stores by storing their payment information in their Shop account. However, Shop accounts, by default, do not have Shop Pay enabled. Users must manually enable this feature in their Shop settings or when purchasing an item from a store that supports Shop Pay.