Member-only story
Bug Bounty Reports Explained
How a Security Researcher Earned $1,900 Bounty for Privilege Escalation
$1,900 for Finding a Privilege Escalation Flaw in Shopify’s Partner Portal
Introduction
A security researcher, Samux, discovered a privilege escalation vulnerability in Shopify’s Partner Portal (partners.shopify.com). This flaw allowed users without the necessary permissions to create unauthorized referrals by exploiting an unprotected API endpoint. The issue was promptly triaged, resolved, and ultimately earned Samux a bounty of $1,900.
Summary of the Vulnerability
Shopify’s Partner Portal features a referral system where users with specific permissions can submit POS (Point of Sale) leads. However, while the frontend properly enforced restrictions, the backend API did not have adequate authorization checks. This allowed users without “View referrals” permission to directly access the lead creation URL and submit unauthorized referrals.
Steps to Reproduce
- Authenticate as an administrator and invite another user with limited privileges.
- Verify that the invited user does not have access to the referrals functionality.
- While logged in as the limited privilege user, attempt to visit the referrals page:
https://partners.shopify.com/partner_id/referrals/ - Notice that access is restricted.
- Now, as the administrator, access the referral submission endpoint:
https://partners.shopify.com/partner_id/partner_leads/pos - Copy this URL and visit it using the limited privilege user’s session.
- Observe that, despite lacking permissions, the user can successfully submit a POS lead.
Impact
This vulnerability allowed unauthorized users to bypass implemented security restrictions and create referrals, which could lead to misuse of the referral system. The risk level was classified as Medium (4.3 CVSS score), as it primarily affected data integrity.
Timeline
- January 21, 2022: Samux…
