How an Invalid Scope Parameter Let Me Redirect Users to Phishing Sites
In OAuth implementations, security often depends on strict validation of parameters like redirect_uri and scope.
In this real-world Shopify bug bounty report, I’ll walk you through how I discovered an Open Redirection vulnerability in Shopify OAuth flow — one that allowed attackers to redirect users to arbitrary external sites, including phishing pages, just by passing an invalid scope.
Let’s break it all down
Vulnerability Summary
- Bug Type: Open Redirection via OAuth
- Target: Shopify OAuth Authorization Flow
- Impact: Redirect any user to malicious domains, even with OAuth validation failure
- Severity: Medium → High (due to phishing potential)
- Bounty Awarded: $500
- Report ID: #55525
- Hunter: coolboss
Step-by-Step Reproduction
Let’s see how this issue can be reproduced using a simple example.
- Create a Shopify App
First, the attacker creates a test app at prans.myshopify.com and obtains a client_id.