Found a bug that effects all shopify stores;it allows customers to use and checkout a Draft Order, after it’s been deleted.
I tried submitting to hackerone, they closed it as “informative.”
I contacted support, was submitted as a “Merchant Frustration”, and they said come here.
This bug effects ALL SHOPIFY STORES.
Hi @hotnoob
Thank you for reaching out about this issue. I definitely want to hear more and ensure that it is handled appropriately. While I can’t directly review any open tickets myself, I can ensure that the ticket is reviewed for a followup.
Can you share a detailed breakdown of the issue you are experiencing as well as the expected behavior vs what is actually happening? As much detail as you can provide (screenshots, video recording, etc) will be very helpful.
Thank you for your concern and for reaching out to share this with us!
@Shay
since asked by shopify staff to disclose the details; i will do so here and now.
the expected behaviour is that the “checkout” is invalidated / deleted / prevented from completing.
this was verified by customer support; although it took a few hours to walk them through every step “correctly.”
if you have access to shopify’s hackerone, the report id is #1531791, where i have added screenshots and videos.
Thank you for those details @hotnoob . I was able to replicate this and ensured that it was flagged with our technical team.
It’s important to note that this behavior of the draft orders is not a bug per-se, but more of a platform limitation. I completely understand how this functionality is not ideal though, and stressed that to our team on behalf of our merchants.
My technical team also noted that if you have reported this through Hackerone (I don’t have direct access to it myself) that our Security team will be alerted and the ticket/issue will be reviewed. I really appreciate your diligence in making sure this was reported to all appropriate channels and teams.
Hello,
Any new on this?
I don’t think is “more of a platform limitation”.
If the customer completes the checkout and paying for that deleted draft order, and then tries again the same checkout url this time you will get a warning message : “this invoice is already paid”