Bypass of fix #1370749

Hello team, on report #1370749 the reporter found that the preview link is not expiring. So when someone will gain access to the preview link, he can access it for whole life as the preview link remains the same even after changing the storefont password. I have reported the issue #1401525 where i am getting the preview link with a user with limited permission. But it was duplicate of #1370749, because on that fix , getting the storefont url couldn't be accessed later after changing the store password. The report #1370749 has been fixed and the fix worked properly now upon changing the storefont password the previous preview link is expiring. But i have found another endpoint where it is leaking the storefont preview url and the strange thing is , it is not expiring even after the password change for the store font. It is remaining static and we can access the store through that permanently. 1- Admin of https://shakti-jan2022.myshopify.com/ invites user-a with themes permission only. 2- from User-a visit https://shakti-jan2022.myshopify.com/admin/themes 3- Now check the http history in burp, you will find an request ``` POST /admin/online-store/themes?hmac=████&host=c2hha3RpLWphbjIwMjIubXlzaG9waWZ5LmNvbS9hZG1pbg&locale=en-IN&session=███&shop=shakti-jan2022.myshopify.com&timestamp=1645562098&_signed_params=host%2Clocale%2Csession%2Cshop%2Ctimestamp HTTP/1.1 Host: shakti-jan2022.myshopify.com Connection: close Content-Length: 581 Cache-Control: max-age=0 sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="98", "Google Chrome";v="98" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "macOS" Upgrade-Insecure-Requests: 1 Origin: null Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-Dest: iframe Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: ████ appShellSessionToken=███████&appShellAttempts=1&appShellReason= ``` Now the response will be ``` HTTP/1.1 200 OK Date: Tue, 22 Feb 2022 20:35:06 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Sorting-Hat-PodId: 240 X-Sorting-Hat-ShopId: 62790336753 Vary: Accept-Encoding X-XSS-Protection: 1; mode=block X-Download-Options: noopen X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=63072000; includeSubDomains; preload Referrer-Policy: origin-when-cross-origin Content-Security-Policy: frame-ancestors https://shakti-jan2022.myshopify.com; default-src 'self' https://cdn.shopify.com https://cdn.shopifycdn.net; frame-src https://*; base-uri 'self'; object-src 'none'; img-src 'self' data: https://*; style-src 'self' 'unsafe-inline' https://cdn.shopify.com https://cdn.shopifycdn.net; font-src 'self' https://fonts.shopifycdn.com https://cdn.shopify.com https://cdn.shopifycdn.net; script-src 'self' https://cdn.shopify.com https://cdn.shopifycdn.net 'nonce-555f8cbe-fbc4-4125-9ae1-285b0bd06c9c'; connect-src 'self' online-store-web.shopifyapps.com https://notify.bugsnag.com https://burst.shopify.com wss://argus.shopifycloud.com https://shopify.s3.amazonaws.com monorail-edge.shopifysvc.com X-Dc: gcp-asia-southeast1,us-east1 X-Request-ID: d9d0bda6-b4bd-489b-9c3c-7384cbba086a X-Permitted-Cross-Domain-Policies: none CF-Cache-Status: DYNAMIC Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Server: cloudflare CF-RAY: 6e1affb60b3d8577-BOM alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Content-Length: 39792 <!DOCTYPE html><html lang="en-IN"><head><title data-react-html="true">Shopify</title><meta charSet="utf-8"/><meta http-equiv="X-UA-Compatible" content="IE=edge"/><meta name="referrer" content="never"/><meta data-react-html="true" name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover, user-scalable=no"/><link data-react-html="true" rel="shortcut icon" type="image/x-icon" href="https://online-store-web-cdn.shopifycloud.io/webpack/assets/default-c840ed01a2c3f2cec40da60496e0e174.ico"/><link data-react-html="true" rel="preload" as="image" href="https://cdn.shopify.com/screenshots/shopify/z0069ofg35eaiunlanwztkkvti19n2o-62790336753.shopifypreview.com?height=900&amp;version=b5dc22c6d802d34212a20d2f443e1e570f0759468f4b0022c642916aeb4e3d2c&amp;width=1160"/><link data-react-html="true" rel="preload" as="image" href="https://cdn.shopify.com/screenshots/shopify/z0069ofg35eaiunlanwztkkvti19n2o-62790336753.shopifypreview.com?height=600&amp;version=b5dc22c6d802d34212a20d2f443e1e570f0759468f4b0022c642916aeb4e3d2c&amp;width=350"/><link rel="stylesheet" type="text/css"................. ``` Note the 5th and 6th line , there is an image url https://cdn.shopify.com/screenshots/shopify/z0069ofg35eaiunlanwztkkvti19n2o-62790336753.shopifypreview.com?height=600&amp;version=b5dc22c6d802d34212a20d2f443e1e570f0759468f4b0022c642916aeb4e3d2c&amp;width=350 4- Note the preview url from that image url that is z0069ofg35eaiunlanwztkkvti19n2o-62790336753.shopifypreview.com 5- Now navigate to admin and check the preview url, it is https://yok8gcda4v2iypbq-62790336753.shopifypreview.com/ 6- Remove user-a and change store font's password , Now the updated preview url will be https://b0b27da00akv5xui-62790336753.shopifypreview.com/ 7- check the preview url from step-5 which is https://yok8gcda4v2iypbq-62790336753.shopifypreview.com, this will show expired. 8- But navigate to the preview url you got from step-4 ( z0069ofg35eaiunlanwztkkvti19n2o-62790336753.shopifypreview.com ) that is gained by the attacker user . Now you can still have permanent access to the storefont through the preview url z0069ofg35eaiunlanwztkkvti19n2o-62790336753.shopifypreview.com, even if the store password got changed and the user has been removed after being suspect. ## Impact Bypassing the fix #1370749 and getting a previw url which is giving permanent access to the storefont even after multiple password change.