Table of Contents

What is Shopify

Shopify is a complete commerce platform that lets you start, grow, and manage a business. With Shopify, merchants can build and customize an online store and sell in multiple places.

The vulnerability I discovered and what we will be looking at today relies on the online store & selling side. If you'd like to know more you can read more about what shopify is for here.

The Story

Late one night on the 3rd of May 2023 I was working on a personal project of mine. I heard a notification sound and upon checking it was from a friend asking if I could do a authorized penetration test on his online store, I obliged happily and begun testing away. At this point I didn't know my friend's website was hosted by Shopify.

After putting in <script>alert(document.domain)</script> it didn't execute but the page gave me some weird information as shown below, So I reported it to him and went to bed. 

*","productVariants":[{"id":"47338222800236","image":{"src":"[REDACTED]"},"price":{"amount":34.99,"currencyCode":"USD"},
"product":{"id":"62936892961632","title":"[REDACTED]","vendor":"[REDACTED]","type":"[REDACTED]"},
"title":"Default Title"},{"id":"20148082554457","image":{"src":"[REDACTED]"},"price":{"amount":45.99,"currencyCode":"USD"}, 
"title":"Default Title"},{"id":"91295609899555","image":{"src":"[REDACTED]"},"price":{"amount":35.99,"currencyCode":"USD"},
"product":{"id":"82404814798890","title":"[REDACTED]","vendor":"[REDACTED]","type":"Item"}]}});},
"https://cdn.shopify.com","browser","0.0.295",
"[REDACTED]",["web_pixels_use_shop_domain_monorail_endpoint",
"web_pixels_shopify_pixel_validation","web_pixels_prefetch_assets"]);

A day went past when I was browsing a website and noticed the url endpoints looked simular. My curiosity got the best of me and I wondered what would happen if I put in the same code that I did to exploit my friend's website the previous day? Little did I know it would uncover a vulnerability affecting every Third Party Shopify store.

The Vulnerability

As of 06/04/2023 this vulnerability has been fixed.

As of 04/04/2023 this vulnerability affected all online stores that use Shopify. 
webPixelsManagerAPI.publish("search_submitted", {"searchResult":{"query":"</script><script>alert(document.domain)</script>"

When submitting </script><script>alert(document.domain)</script> Shopify would take that unescaped string and submit it to their analytics function, But because it gets exeucted it completely breaks the function call to the analytics and runs the code that you submitted within the 'searchResult' query within 'web-pixels-manager-setup' script. Allowing you to inject code onto the dom, allowing Dom-Based XSS.

POC

Blizzard's Merch Store [POC]
Sidemen Clothing [POC]
100 Thieves Merch Store [POC]
Discord's Merch Store [POC]

To reproduce this vulnerability as of 04/04/2023

Start by going to any online store hosted by Shopify for example: Minecraft's Merch Store. Once the webpage has loaded input this into the search bar </script><script>alert(document.domain)</script> once entered it will input the query into the web pixels manager api and execute it on the client without escaping the string. You can also click here. to see it for yourself!

You can also see what is happening by viewing the page source, For example lets say i executed https://shop.minecraft.net/search?type=product&q=</script><script>alert(document.domain)</script> <h1>FIND ME</h1> lets now view the source of that page and search for '<h1>FIND ME</h1>'

As you can see it does actually get escaped in most area's such as here 

window.ShopifyAnalytics.lib.track("Performed Search",{"query":"\u003c\/script\u003e\u003cscript\u003ealert(document.domain)\u003c\/script\u003e \u003ch1\u003eFIND ME\u003c\/h1\u003e"});
And Here 
<input type="search" name="q" value="&lt;/script&gt;&lt;script&gt;alert(document.domain)&lt;/script&gt; &lt;h1&gt;FIND ME&lt;/h1&gt;" placeholder="Search" class="site-header__search-input" aria-label="Search">
But as you see here, Unfortunately the code doesn't get escaped and will execute on the client. 
webPixelsManagerAPI.publish("search_submitted", {"searchResult":{"query":"</script><script>alert(document.domain)</script> <h1>FIND ME</h1>")

Summary

Since this vulnerability works on every third party Shopify store, this is a critical bug that I have decided to release and document, Due to the fact I'm just astonished how this was overlooked. 6,312,392 Stores as of 04/04/2023 were affected with this vulnerability, But fortunately as of 06/04/2023 Shopify fixed this vulnerability, escaping the 'searchResult' query fixing all third-party Shopify stores.

This is the first ever blog i've wrote so it won't be the best but I tried to make it the best I could. But thank you for reading my blog I really enjoyed writing this!