๐ Shopify: [Information Disclosure] Amazon S3 Bucket of Shopify Ping (iOS) have public access of other users image
๐ก Newskategorie: Sicherheitslรผcken
๐ Quelle: vulners.com
Hello Shopify, when testing Shopify Ping share image function, I discovered an Amazon S3 bucket which has public access which allows an attacker to view all the image of other merchant & users. Steps To Reproduce: Install Shopify Ping on your phone then enable Shopify Chat for your store. Go to your Shopify Store and start chatting as a customer. โโโ Log in to Staff account on Shopify Ping and click on send image โโโโโโโโ Back to Shopify Store as Customer and inspect the website code, you will find the URL of image โโโโโโโโโโ https://ping-api-production.s3.us-west-2.amazonaws.com/oksโโโโโโ Now visit https://ping-api-production.s3.us-west-2.amazonaws.com, you can view all images of other stores. โโโโโโโโโ Impact Using this Bucket access, a hacker can steal all private images of other stores and the user who shared through Shopify... ...