FROM CACHE - en_header
Promotion image

We're moving the community! Starting July 7, the current community will be read-only for approx. 2 weeks. You can browse content, but posting will be temporarily unavailable. Learn more

Getting bug report emails that are probably a scam

Getting bug report emails that are probably a scam

lightandspace
Visitor
2 0 1
‎06-24-2025 12:55 PM

We got this email from an Gmail account and then follow ups. I’m sure it’s a scam but is there a bug or anything to worry about?

 

Vulnerability: Failure to invalidate session on forget password

I have observed that when we request a forgot password link it updates the session instead of expiration. If an account is logged in some account and the password reset link is used the other account will get updated but not expired.

Steps to reproduce:
1. Request a forgot password link.
2. Now login in another browser and then use the password reset link in another browser.
3. You will notice that the password will be changed successfully and the other browser will still be active with the account you opened in it.

Recommendations:
It should expire immediately when the password is changed.

Impact:
If some account is logged in in some browser it will not be logged out from that browser and will be logged in and can be used for malicious activities.

Thank you for your attention to this matter, and we look forward to assisting you in resolving this issue promptly. I represent a team of penetration testing service providers. We specialize in identifying and addressing potential security vulnerabilities to help ensure the integrity and safety of online platforms.
Labels:
746 Views
0 Likes
Report
Replies 3 (3)

Laza_Binaery
Shopify Partner
545 87 152
‎06-24-2025 01:58 PM

Hi  @lightandspace 

 

Welcome to the community. And yes if it is a Gmail, it is a scam, no matter what they say and how plausible it sounds. 

 

https://help.shopify.com/en/manual/privacy-and-security/account-security/phishing#recognizing-legiti...

 

Recognizing legitimate Shopify emails

Shopify will only send emails from official domains such as @shopify.com, @email.shopify.com, @em.shopify.com, and @shopify-billpay.melio.com. Emails from public email services such as Gmail, Yahoo, Apple mail, or Hotmail aren't from Shopify and should be treated as potential phishing attempts.

 

Now if you do search here or on Google you could find hundreds of topics with the same scam tactics, trademark, compliance, performance, accessibility rules and so on. There is also a few topics that in detail shows full path that scammers take until they get the money and do nothing.

 

Kind regards
Laza
www.binaery.com
711 Views
1 Like
Report
In response to Laza_Binaery

lightandspace
Visitor
2 0 1
‎06-25-2025 07:28 PM

Thanks Laza. I realize it is not official Shopify email, I meant is that vulnerability a real thing or just nonsense for them to try to get access to the site?

632 Views
1 Like
Report
In response to lightandspace

Laza_Binaery
Shopify Partner
545 87 152
‎06-25-2025 11:56 PM

Just nonsense, like you say. But some of the scams use real issues in general, that might happen and then if it pass it pass.

Kind regards
Laza
www.binaery.com
614 Views
0 Likes
Report
Terms of Service Privacy Policy