All things Shopify and commerce
Found a bug that effects all shopify stores;it allows customers to use and checkout a Draft Order, after it's been deleted.
I tried submitting to hackerone, they closed it as "informative."
I contacted support, was submitted as a "Merchant Frustration", and they said come here.
This bug effects ALL SHOPIFY STORES.
Hi @hotnoob
Thank you for reaching out about this issue. I definitely want to hear more and ensure that it is handled appropriately. While I can't directly review any open tickets myself, I can ensure that the ticket is reviewed for a followup.
Can you share a detailed breakdown of the issue you are experiencing as well as the expected behavior vs what is actually happening? As much detail as you can provide (screenshots, video recording, etc) will be very helpful.
Thank you for your concern and for reaching out to share this with us!
Shay | Social Care @ Shopify
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution
- To learn more visit the Shopify Help Center or the Shopify Blog
@Shay
since asked by shopify staff to disclose the details; i will do so here and now.
1. create draft order
2. send draft order ( or if draft is created by api, someone just needs a copy of the draft order url )
3. customer opens draft order, and saves the url
4. delete draft order
5. the saved /checkout url remains valid indefinately, and the customer is able to checkout with it.
6. customer checks out using draft order that has been deleted.
the expected behaviour is that the "checkout" is invalidated / deleted / prevented from completing.
this was verified by customer support; although it took a few hours to walk them through every step "correctly."
if you have access to shopify's hackerone, the report id is #1531791, where i have added screenshots and videos.
Thank you for those details @hotnoob. I was able to replicate this and ensured that it was flagged with our technical team.
It's important to note that this behavior of the draft orders is not a bug per-se, but more of a platform limitation. I completely understand how this functionality is not ideal though, and stressed that to our team on behalf of our merchants.
My technical team also noted that if you have reported this through Hackerone (I don't have direct access to it myself) that our Security team will be alerted and the ticket/issue will be reviewed. I really appreciate your diligence in making sure this was reported to all appropriate channels and teams.
Shay | Social Care @ Shopify
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution
- To learn more visit the Shopify Help Center or the Shopify Blog
Hello,
Any new on this?
I don't think is "more of a platform limitation".
If the customer completes the checkout and paying for that deleted draft order, and then tries again the same checkout url this time you will get a warning message : "this invoice is already paid"
Hey Community! As we jump into 2025, we want to give a big shout-out to all of you wh...
By JasonH Jan 7, 2025Hey Community! As the holiday season unfolds, we want to extend heartfelt thanks to a...
By JasonH Dec 6, 2024Dropshipping, a high-growth, $226 billion-dollar industry, remains a highly dynamic bus...
By JasonH Nov 27, 2024