Uncovering the Hidden Vulnerability: How I Found an Authentication Bypass on Shopify’s Exchange Marketplace!

Hello Researchers,

Welcome back to my Medium blog! I’m excited to have you here again and can’t wait to share more interesting content with you.

While reading medium blogs, I found articles about cookies that made me curious. I read about the CookieEditor extension, which lets you make, change, or delete cookies without leaving your tab. So, I’ve decided to try playing around with cookies and see what new things I can discover.

In the initial stages of my bug bounty journey, I randomly chose the Shopify program on HackerOne. After thoroughly understanding the scope, I encountered a domain, https://exchangemarketplace.com (which is now decommissioned) from their scope.

This website only has options to sign in with Shopify, Google, and Facebook.

Without wasting any time, let’s get started…

Requirement : Install Cookie Editor or EditThisCookie extension in your browser to edit or export cookies.

Steps to Reproduce:

1. Go to https://exchangemarketplace.com/ and click on “Sign In”
2. Continue with your Google Account to log in to your account.
3. After logging in, click on the “EditThisCookie” extension and export the cookies. Save these cookies in Notepad.
4. Now, open another browser and import those cookies. You’ll be able to log in to your account using the cookies.
5. Log out from your first browser, and it should also log you out from the other browser.
6. Log in again with your Google account in the first browser. This will generate new cookies.
7. Now, use the old cookies saved in the notepad to log in to the account in the second browser. This way, you can access the victim’s account whenever their session is active.

The steps above seem simple, suggesting that session cookies don't expire after logout, but that’s not the case. Let me explain what’s actually happening: the application only accepts old cookies when the user’s session is active somewhere.

In Browser 1, the user must be logged in for an attacker to gain access in Browser 2 using old cookies. The root cause here is that the application is not assigning a new session cookie value on logout when user clicks on logout. This type of issue is considered as Low Severity.

I was rewarded $500 USD for reporting this issue to Shopify. 🎉

Try this approach when you’re testing for session cookie-related issues.
Test both login methods: using a username and password, and using SSO. There is a high possibility that the application is vulnerable when it allows sign-in using SSO cookies.

I hope you have learned something new in this writeup.

Hackerone Disclosed Report: https://hackerone.com/reports/1162443

If you need any help or want to connect, you can connect with me via LinkedIn and Twitter .

I hope it will help you in your Bug Hunting !!

Thanks for Reading !!😊

./Keep_Hacking