messageevent listener. The following check is used to reject invalid origins:
var t=e.data,i=t.action,r=t.height,n=t.url,s=t.isCollapsed,a=e.origin; !i|| o.returnObjectValues(this.POST_MESSAGE_ACTIONS).indexOf(i)<0|| this.iframe.src.indexOf(a)<0|| this.postMessageHandler(i,r,n,s)
this.iframe.srcbeing something like
https://foo.myshopify.com/admin/bar, this mostly does the job correctly. However,
e.origindoesn't end with a slash, meaning that for example
https://foo.myis a possible origin and would be accepted here. Sending an
redirect_to_urlmessage allows the attacker to specify a URL to redirect to, supplying a
Recommendation: Changing the check into
this.iframe.src.indexOf(a + "/") != 0should reliably reject all invalid origins.
This attack works against shop admins who have the admin bar enabled. If admin bar doesn't show up at the bottom of your shop, clear cookies and make sure you are logged into the admin interface. I assume here that your shop is located under
foo.myshopify.com- change the host name appropriately.
- Download the attached
exploit_admin_bar.htmlpage to the same directory on your computer.
%Windir%\Sysnative\drivers\etc\hostson Windows) and add the following entry:
127.0.0.1 foo.myshopify.co(note that it has to end with
.com). The real attackers would register
foo.myinstead to attack your shop.
ssl_server.pyscript (requires Python 3) to run a local SSL-protected web server. On Linux and macOS this script needs to be run with administrator privileges.
- Open https://foo.myshopify.co/exploit_admin_bar.html in your browser and accept the invalid certificate (real attacker would actually own
foo.myshopify.co, so they would be able to get a valid certificate for it).
- Click the link on the page.
For the community, by the community