Focuses on API authentication, access scopes, and permission management.
Hi Team,
Can any developers confirm that is this bug or not ?
POC video link for reference https://ci3.googleusercontent.com/meips/ADKq_NakbZe_YcarsXKRLaICNfi88uKn7bvA2ZhWWds5s8idw00nUXSCp9M7...
Bug - not fixed - critical -closed this bug without proper information. but still its reproducible. POC video attached.
created two seperate accounts by using these two mail ids hiddename1@hiddenname.com belongs to hiddennameof1@gmail.com and hiddenname2@gmail.com.
2.Login (first account ) using hiddenname1@weare.hackerone.com and try to go store page
https://admin.shopify.com/store/446e3e-c2/ then logout.
3.Login using hiddenname2@gmail.com and try to go store page
https://admin.shopify.com/store/6d6e-18-be/
and try to switch @url by changing store name as follows (first account store id )
https://admin.shopify.com/store/446e3e-c2/
now you will get an option switch account button and if you click on that
where you will find option to add account. Try to add another existing account(first account - hiddenname2@namehidden.com ) by clicking signup . it will accept.
now go to newly created account store page and logout.
Now you will not find option to logout for second account.
But if you click login login back button in logout page you can find your account button and if you click on that WITHOUT PASSWORD you can enter to store page.
VIDEO PROOF ATTACHED.
Impact
able to create account for existing customer and without password you can login to switched account after logout so, reliability / security is question here and unable to logout is also the same. .
Unable to attach mp4 video for video proof and POC video attached link , open it by browser and given access for anyone https://ci3.googleusercontent.com/meips/ADKq_NakbZe_YcarsXKRLaICNfi88uKn7bvA2ZhWWds5s8idw00nUXSCp9M7...