Shopify allows hijackers to claim subdomains

Snodgers
Shopify Partner
16 0 12

I'm writing this up as a warning to anyone with a Shopify account.

 

Let's say that you have a shop: products.com. You also have two CNAMEs: www.products.com  and shop.products.com.

 

The CNAMEs point to products.com, which points to Shopify.

 

In your Shopify account, you link shop.products.com, www.products.com  and products.com.

 

Later, you decide to create new.products.com as a CNAME. You point it at your primary domain, which is very common. You have some plans for the future but don't start working with it right away. That's fine. Right?

 

Wrong.

 

Shopify currently allows anyone with a Shopify account to take over the subdomain without verification. For you to reclaim it, you will need to verify though!

 

People will typically connect their domains right away but Shopify should not allow users to claim a subdomain without any verification.

 

Replies 0 (0)