Critical bug

Retired Boards Appdev Authentication

Topic summary

A security researcher reports a critical authentication vulnerability that was previously closed without resolution but remains reproducible.

Core Issue:
Users can switch between accounts and access store pages without entering passwords. After logging out from one account and logging into another, the logout functionality fails, creating a security gap.

Reproduction Steps:

  • Create two separate accounts with different email addresses
  • Log into first account, access store page, then logout
  • Log into second account and navigate to store page
  • Attempt to add the first account again through account switching
  • Modify store URL to switch between accounts without authentication

Key Concerns:

  • Password-less access to existing customer accounts
  • Inability to properly logout after account switching
  • Potential unauthorized store page access

Status: The bug report includes a POC (Proof of Concept) video demonstration. The researcher is seeking developer confirmation on whether this constitutes a valid security bug, as it was previously closed without adequate explanation despite remaining reproducible.

Summarized with AI on November 5. AI used: claude-sonnet-4-5-20250929.
1

Hi Team,

Can any developers confirm that is this bug or not ?

POC video link for reference https://ci3.googleusercontent.com/meips/ADKq_NakbZe_YcarsXKRLaICNfi88uKn7bvA2ZhWWds5s8idw00nUXSCp9M75IL2Zc9Y09vmSxEDO3Kv5EJUlGY9C4S4WYH8mMHfQ4qBQ1ZIlJuA5jStDSDX5sfFAw=s0-d-e1-ft#https://ssl.gstatic.com/docs/doclist/images/icon_10_generic_list.png

Bug - not fixed - critical -closed this bug without proper information. but still its reproducible. POC video attached.

created two seperate accounts by using these two mail ids hiddename1@hiddenname.com belongs to hiddennameof1@gmail.com and hiddenname2@gmail.com.

2.Login (first account ) using hiddenname1@weare.hackerone.com and try to go store page

https://admin.shopify.com/store/446e3e-c2/ then logout.

3.Login using hiddenname2@gmail.com and try to go store page

https://admin.shopify.com/store/6d6e-18-be/

and try to switch @url by changing store name as follows (first account store id )

https://admin.shopify.com/store/446e3e-c2/

now you will get an option switch account button and if you click on that

where you will find option to add account. Try to add another existing account(first account - hiddenname2@namehidden.com ) by clicking signup . it will accept.

now go to newly created account store page and logout.

Now you will not find option to logout for second account.

But if you click login login back button in logout page you can find your account button and if you click on that WITHOUT PASSWORD you can enter to store page.

VIDEO PROOF ATTACHED.

Impact

able to create account for existing customer and without password you can login to switched account after logout so, reliability / security is question here and unable to logout is also the same. .

2

Unable to attach mp4 video for video proof and POC video attached link , open it by browser and given access for anyone https://ci3.googleusercontent.com/meips/ADKq_NakbZe_YcarsXKRLaICNfi88uKn7bvA2ZhWWds5s8idw00nUXSCp9M7