Stored XSS Cross Site Scripting on Shopify shop

Hi Shopify,

Here is Shaifullah Shaon (Black_EyE), An Ethical Hacker.
a white hat cyber security researcher from Bangladesh reporting
a serious
[3’rd ranking in OWASP] security vulnerability on your system.

I faced a technical security bug called “Stored XSS (Cross Site
Scripting) on Shopify shop”.

Now I exploited it. If you verify more, so you can see my video
poc that was unlisted my youtube channel.

Let’s follow me,

1. I already Open my Account.
2. Just input payload into product name.
3. Here needed password for temporary account, If paid account,
here no needed any password as your terms and conditions.
4. Now I going to preview with product listing and as you see,
Here is Also Popup Menu with domain name.

poc url: $shop$.myshopify.com
poc direct: fuckingstor.myshopify.com
pass: trawxo

Now See Again, Here always be popup with domain name and it’s
Stored into your database.

** Note: Here script working as product name, Won’t be as
description or any other html editor.

Please See my Video Poc for understand clearly. Hopefully Those
are Very critical issue.
Resolve those issue as soon as possible.

Here is proof as video concept (unlisted): https://youtu.be/FJ7Jq0GLNMQ

If you had any doubt, See The Footer in the Videos for see
Clock, Dated and time.

Thank you
Shaifullah Shaon (Black_EyE)
shaon.durjoy@gmail.com

It’s an Online It Section
Please Subscribe us.