Hello everyone ,today I will show you my duplicate report.
Bug: Bypass authentication
- Target is test.com beacause I dont have permisson to disclose
My target is web shopping as shopify so I have admin page to control my shop
Everything is okay, until I have to signup password for payment, payment feature is to received customer’s money for buying products. Okay I will create password and save
But admin page allows admin give permisson for someone account as manager and editor . When admin gives manager permisson to another account ,another account have permisson to access payment feature. Instead of input password , attacker can bypass authentication by finding endpoint api
Find endpoint https://api.test.com/api/seller/stores/{}/settings/payment and send request. Attacker can see reponse, key “payment_password” and that is victim’s password.
Impact: Attacker login payment feature and change paypal secret key, when customer pay for products , money will flow to hacker’s wallet instead of victim