A security flaw on Shopify’s Collabs platform has been detailed, which allows an attacker to take over a creator’s account without email verification.
Researcher kun_19 discovered the issue, which earned them a $800 bounty.
Collabs is Shopify’s platform for influencers and creators to collaborate with its brands, promoting their products and earning commissions.
The problem relates to the platform’s transition from using Dovetale to operating under Shopify’s own system, during which time the account takeover vulnerability was created.
It allowed potential hackers to access a creator’s account just by knowing their email address, and without any email verification being required.
This could then allow the attacker to hijack the creator’s domain and steal their traffic, while also gaining access to personal information and creating an avenue for further attacks.