Stored XSS Cross Site Scripting on Shopify shop

Hi Shopify,

Here is Shaifullah Shaon (Black_EyE), An Ethical Hacker.
a white hat cyber security researcher from Bangladesh reporting
a serious
[3’rd ranking in OWASP] security vulnerability on your system.

I faced a technical security bug called “Stored XSS (Cross Site
Scripting) on Shopify shop”.

Now I exploited it. If you verify more, so you can see my video
poc that was unlisted my youtube channel.

Let’s follow me,

1. I already Open my Account.
2. Just input payload into product name.
3. Here needed password for temporary account, If paid account,
here no needed any password as your terms and conditions.
4. Now I going to preview with product listing and as you see,
Here is Also Popup Menu with domain name.

poc url: $shop$
poc direct:
pass: trawxo

Now See Again, Here always be popup with domain name and it’s
Stored into your database.

** Note: Here script working as product name, Won’t be as
description or any other html editor.

Please See my Video Poc for understand clearly. Hopefully Those
are Very critical issue.
Resolve those issue as soon as possible.

Here is proof as video concept (unlisted):

If you had any doubt, See The Footer in the Videos for see
Clock, Dated and time.

Thank you
Shaifullah Shaon (Black_EyE)

It’s an Online It Section
Please Subscribe us.