Shopify Multipass Misconfiguration

  1. First of all, you need to make sure that the shopify store of the website is on a different sub-domain from the original website (or atleast the checkout page)
  2. You also need to validate that the website does not require email verification for registering new emails and can log you in instantly after registering.
  3. After validating the previous two steps, it is straightforward. You make a purchase as a guest using the victim email, then from an incognito session register a new account on the main website using the same email and get redirected to the shopify store belonging to that website. You should see all the data of the purchase.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ahmed A. Sherif

Ahmed A. Sherif

Pentester & Bug Bounty Hunter @Ahmed_ASherif