Don’t forget to check for user access rights

One of the most common vulnerabilities occur when a user is able to access something to which they are should not have access. If a malicious actor exploits this vulnerability and accesses confidential information of others, this can cause a leak of sensitive data. This is a form of vulnerability called information disclosure, and it can take many forms.

Usually, web application developers do a good job of checking whether a user should be able to access the information they are requesting. However, in hidden or obscure spots, it can be easy to forget to validate whether a user has proper access. For example, I previously wrote about a $20,000 bug found in GitLab that similarly revealed data to unauthorized users.

Shopify had a similar bug discovered by HackerOne user zambo that allowed users to retrieve order information that they shouldn’t have had access to.

I will be going over zambo ‘s summary and report provided at HackerOne. Please read the original summary for the original analysis

Shopify is one of the largest e-commerce platforms in the world. It allows users to set up online stores and interact with their customers without having to deal with nearly none of the technical challenges needed to build and support such an online application. One of the provided features is a chat app that allows customers to have real-time interaction with the store.

HackerOne user zambo investigated an option that allows states “I need an update on my order.” When this button is clicked, it sends out a POST request containing an order_lookup JSON with the information requested. Note: The following request is from zambo ‘s original post, but modified to show a normal request as well as with redacted information about the target.

zambo noticed that the only validation performed on the email value is to make sure that the mail server was provided. This meant that changing the email value to be @gmail.com, @yahoo.com, etc., then this would pass the validation. Then, zambo also noticed that order_number value supposedly starts at 1000 and increments by 1 on each new order. Combining these two facts, zambo was able to discover that this in fact was an IDOR, and an attacker would have the ability to get the order information of any order made on that store.

Why was this bounty worth $2,500?

In security, people often hold the CIA (confidentiality, integrity, and availability) triad to be the guiding security principles. In this case, the confidentiality principle is violated. I’m not sure exactly how damaging information leaked from orders would be (i.e whether it’s simply the order product bought or if sensitive financial information is included), but either way, it is user information that should remain private.

This makes the bug a medium severity. Luckily, there appears to be no escalation or violation of either integrity or availability that would make the bug more severe. However, this bug earned a well-deserved $2500 reward for zambo . Congrats again! A reminder (and encouragement) that bugs do not have to be sophisticated to cause great damage.

Thanks for reading through and please leave any constructive feedback, suggestions, or questions below! If you enjoyed, please consider following me on Medium. Contact me at [email protected], follow me on twitter, and connect with me on LinkedIn!