As part of a bug bounty, the security researcher Uzsunny found a critical vulnerability on the Shopify platform. The vulnerability allowed the attacker to assign himself as a “collaborator” to any store on Shopify without approval of the store’s manager. Collaborators have full access to perform any action on the store, including reading customers’ data, changing inventory, and more.
The Shopify Partners Program allows experts to connect with Shopify store managers and provide them services such as design and web development. A single expert can be a collaborator on different stores.
The process of requesting “collaborator” access to an existing store contains three steps:
1. The expert enters the store URL.
2. The store manager receives an email about the access request.
3. Once the store manager approves the request, their browser sends an API call to:
This API call approves the access request by the expert and converts him to a “collaborator”.
The problem: The code did not validate that the API call was triggered by a store manager. In fact, any user could call the API endpoint and approve the access request, even if they don’t have the right privileges.
Using this technique Uzsunny managed to “login to any store with full permissions.” For his troubles, Uzsunny received a $20,000 bounty from Shopify, which reported: “We tracked down the bug to incorrect logic in a piece of code that was meant to automatically convert an existing normal user account into a collaborator account.”
Why Can’t Current Security Solutions Detect It?
The exploit in step #3 looks simple and requires only a single HTTP request: “POST /admin/settings/account/approve/<id>”. Authorization exploits usually look legit from a WAF/RASP perspective; they don’t contain suspicious payloads or characters, weird HTTP headers, or abnormal structure. In fact, if the same exact HTTP call was sent by a different user who is a store manager it would be completely legit.</id>
In order to understand authorization exploits, a much broader context is needed. It’s simply not enough to look at a single HTTP request.
How Traceable Solves the Problem
Our approach to detecting API attacks is very different. In a nutshell, we observe the data that passes through the API and the microservices of the app. We then use our machine learning algorithms to discover the application’s business logic. We get full visibility into the users and their roles, the API endpoints they communicate with, and the resources the endpoints interact with behind the scenes. Now we can create a baseline understanding of a legit user’s flow through the system.
The visibility into users helps us understand that the client is actually a guest user, and the visibility into the API helps us to recognize that the endpoint is an admin endpoint that should be used only by store managers. Then we can simply block malicious abnormal activity.
With this approach we can detect the most sophisticated and subtle API attacks, including BFLA (Broken Function Level Authorization).
Interested to learn more?
Watch our recorded demo and see Traceable Defense AI in action!