Duplicate report

1 min readFeb 19, 2021

Hello everyone ,today I will show you my duplicate report.

Bug: Bypass authentication

  • Target is test.com beacause I dont have permisson to disclose

My target is web shopping as shopify so I have admin page to control my shop

Everything is okay, until I have to signup password for payment, payment feature is to received customer’s money for buying products. Okay I will create password and save

But admin page allows admin give permisson for someone account as manager and editor . When admin gives manager permisson to another account ,another account have permisson to access payment feature. Instead of input password , attacker can bypass authentication by finding endpoint api

Find endpoint https://api.test.com/api/seller/stores/{}/settings/payment and send request. Attacker can see reponse, key “payment_password” and that is victim’s password.

Impact: Attacker login payment feature and change paypal secret key, when customer pay for products , money will flow to hacker’s wallet instead of victim