Access control is key.

Broken Access Control was listed by the Open Web Application Security Project (OWASP) as the number one web app security risk in 2021. When applications get increasingly complex with more API endpoints and features, it can become more difficult to develop and adhere to policies to maintain proper authorization controls.

An important security component of many systems (not just software) is the concept of least privilege. Users are only granted permissions to read, write, and or access files, APIs, etc., that they need to perform their role’s function. This could be in the context of internal development/company teams, but this also makes sense in the context of web app functionality.

Elevation of privilege is a type of broken access control where users can gain privilege to higher levels/roles without proper protocol or authorization. Typically, this is seen when users gain admin privileges, or when people who are not logged in can perform user actions. The severity of this lack of control varies significantly on what type of information the attacker can get access to or modify once they have it.

HackerOne user 0x50d recently found an elevation of privilege broken access control vulnerability in Shopify that earned a bounty of $2900. Usually, in elevation of privilege issues, the attacker needs to trick a server, API, etc., that they have privileges they don’t actually, but this exploit is extremely simple!

0x50d found that https://plus-website.shopifycloud.com/admin.php?_page=1 , which is an admin panel (i.e. only admins should be able to access), was accessible with no authentication required. In this case, our elevation of privilege error was from not logged in all the way to admin. This most likely was found through Google Dorking, which is a “no-programming-knowledge-required” way to search for certain documents, passwords, log files, etc. that are potentially leaked.

In a very transparent rationale for scoring, Shopify discusses why this bug, as simple as it is, was given a severity score of 4.6 (medium):

This authentication issue provided access to /admin on the affected site. Note that /admin/* paths would have been redirected to auth as expected. For this reason, attempts to make changes within the admin panel would fail and prevent an Integrity impact. However, there was still unintended read access to limited partner profile information on the root page, which resulted in a Low Confidentiality impact. (source: Shopify Sec team on HackerOne)

Therefore, the user was able to gain read access, but not any other forms of access. This is why the principle of defense in depth is very important. It’s possible there might have been another vulnerability in this admin panel that could’ve made the bug a larger issue. Congrats to 0x50d on the awesome find your well-deserved $2900 bug bounty!

Want to Connect?Please consider contacting me at [email protected] following me on Medium, buying me a coffee, following me on twitter, or connecting with me on LinkedIn!