Shopify.com Web Cache Deception vulnerability leads to personal information and CSRF tokens leakage

# Shopify.com Web Cache Deception Vulnerability **Matteo Golinelli, July 21, 2021**. <[email protected]> <[email protected]> I am testing websites for possible Web Cache Deception vulnerabilities (you can find more about it [here](https://portswigger.net/daily-swig/path-confusion-web-cache-deception-threatens-user-information-online)) and I discovered that `shopify.com` is vulnerable. Web cache deception (WCD) is an attack where an attacker tricks a caching proxy into erroneously storing private information transmitted over the Internet and subsequently gains unauthorized access to that cached data. This vulnerability allows a potential attacker to **steal personal** (and potentially *sensitive*) **information** of users of a website with a simple social engineering attack. The victim is only required to open a link in a browser on which they are authenticated on the given website to have their information mistakenly stored by the cache server and become accessible to the attacker. To confuse the cache server, I am using multiple path confusion techniques and by appending to the URL a random string followed by the extension *.css*. I discovered that by applying path confusion followed by a random file name and `.css` it is possible for an attacker to leak authenticated user's personal information. Using the slash character (`/`), the exploit URL can be formed as follows: - `https://help.shopify.com/es/manual/your-account/copyright-and-trademark/<RANDOM_STRING>.css` This URL will be interpreted as a CSS file from the cache server, resulting in the web page being cached (with the personal information of the authenticated user embedded). Your website, instead, returns a 404 not found error page that includes some user's personal information. Please find all vulnerable URLs in attachment F1384114 ## Steps to Reproduce 1. Create a random string: e.g., `abcdefg` 2. Compose the URL as explained before: e.g., `https://help.shopify.com/es/manual/your-account/copyright-and-trademark/abcdefg.css` 3. Follow the URL on a browser where a user is authenticated simulating a victim 4. Access the URL using `curl` to simulate an attacker. 5. Find the personal information of the user in the source code of the web page in the incognito browser. *See PoC below*. ## Leaked Data - User first and last name, username and email. - User's profile picture. - User's valid CSRF token: enables attackers to bypass CSRF protection. Leaked data is all the data included in 404 error pages. ## Proof of Concept {F1384115} In the browser on the right, the user is authenticated, while on the left we have a curl request without providing any header (i.e., no cookies for authentication) simulating the attacker. Note the presence of the username in the curl response (the cached page). {F1384116} In this screenshot we can see that the page gets cached even if it contains personal information of the authenticated user. **Note**: the attack works from different IP addresses in different locations, hence the attacker must not be in the same LAN as the victim to carry out the attack. The attacker must however be served by the same public cache for the attack to be successful (e.g., a European victim cannot be attacked by a US-based attacker). ## Other vulnerable subdomains I detected other vulnerable subdomains of third party stores on shopify: - `https://hatchful.shopify.com/furniture-logo-maker%25%32%46random.css`: leaks the authenticated user's API key. ## Mitigation A possible mitigation is not to classify cacheable responses by the extension in the URL only, but also from their actual content type. I see from the headers that the CDN in use is Cloudflare, they have a ready to go mitigation: [https://blog.cloudflare.com/web-cache-deception-attack-revisited/](https://blog.cloudflare.com/web-cache-deception-attack-revisited/). ## Impact User's personal information and valid CSRF tokens get leaked to the attacker.