Clicking on invoice link bypassed login and password

Solved

Clicking on invoice link bypassed login and password

Silo6511
Visitor
2 1 0

 

I'm new to Shopify for my new job. My colleague sent me a Shopify invoice link to send to a customer. When I pasted it into the email and clicked on it to ensure the hyperlink was working, the page automatically sent a two-factor authentication code to the customer's SMS right away.  I didn't see any login and password page at all. Now, the customer thinks I'm a fraud.

 

This issue has been plaguing me for the past few days. I haven't been able to find any articles about someone being able to log into a customer's account this way. I also saw that the new Shopify Customer account sends one-time login codes to emails but not phone numbers.

 

Was I unlucky to encounter a bug? Was this working by design? I'm worried that the customer will think I accessed her account again if any of her accounts get hacked in the future

Accepted Solution (1)

Silo6511
Visitor
2 1 0

This is an accepted solution.

I contacted Shopify support. Turns out when I'm logged into my Shopify admin account, I don't need the customer's login and password to access their account. But for transparency, the customer will receive an SMS notification regarding the login.

View solution in original post

Replies 2 (2)

vritzka
Shopify Partner
13 1 1

Could you post a (redacted) version of the link?  That may help diagnose this

Intelligent Customer Chat without paying for staff: AI Chatbot for Shopify (currently free).

Silo6511
Visitor
2 1 0

This is an accepted solution.

I contacted Shopify support. Turns out when I'm logged into my Shopify admin account, I don't need the customer's login and password to access their account. But for transparency, the customer will receive an SMS notification regarding the login.