Critical bug

Critical bug

rajatester
Visitor
2 0 0

Hi Team,

Can any developers confirm that is this bug or not ?

POC video link for reference https://ci3.googleusercontent.com/meips/ADKq_NakbZe_YcarsXKRLaICNfi88uKn7bvA2ZhWWds5s8idw00nUXSCp9M7...

 

 

 

                    Bug - not fixed - critical -closed this bug without proper information. but still its reproducible. POC video attached.

created two seperate accounts by using these two mail ids hiddename1@hiddenname.com belongs to hiddennameof1@gmail.com and hiddenname2@gmail.com.

2.Login (first account ) using hiddenname1@weare.hackerone.com and try to go store page

https://admin.shopify.com/store/446e3e-c2/ then logout.

3.Login using hiddenname2@gmail.com and try to go store page

https://admin.shopify.com/store/6d6e-18-be/

and try to switch @url by changing store name as follows (first account store id )

https://admin.shopify.com/store/446e3e-c2/

now you will get an option switch account button and if you click on that

 where you will find option to add account. Try to add another existing account(first account - hiddenname2@namehidden.com ) by clicking signup . it will accept.

now go to newly created account store page and logout.

Now you will not find option to logout for second account.

But if you click login login back button in logout page you can find your account button and if you click on that WITHOUT PASSWORD you can enter to store page.

 

VIDEO PROOF ATTACHED.

Impact

able to create account for existing customer and without password you can login to switched account after logout so, reliability / security is question here and unable to logout is also the same. .

Reply 1 (1)

rajatester
Visitor
2 0 0

Unable to attach mp4 video for video proof and POC video attached link ,  open it by browser and given access for anyone  https://ci3.googleusercontent.com/meips/ADKq_NakbZe_YcarsXKRLaICNfi88uKn7bvA2ZhWWds5s8idw00nUXSCp9M7...