$500 Bounty: Shopify Referrer Leak: Hijacking Storefront Access with a Single Token

Shopify’s theme editor reportedly leaks the sensitive oseid parameter via the Referer header, according to security researcher saltymermaid.
If combined with an iframe technique, this allows unauthorised users to bypass store passwords, gaining unrestricted visibility of the target store.
saltymermaid discovered the issue while browsing Pinterest, and identifying a pattern where certain URLs would trigger an automatic redirect to Shopify stores.
This could occur when saving a product, skewed admins to infer that their stores were connected to Pinterest.
Saltymermaid states that if the victim merchant then logs into Shopify, the referral headers leak the oseid and thus verifies the correlation.
They can then exploit this to gain storefront access.
The researcher has dubbed this technique double-referer leakage and says it can be used to attack other platforms that use referral headers.

Fast Feed