(BYPASS) Open Redirect after login at http://ecommerce.shopify.com
Unknown
Vulnerability Details
Hi,
The users can be redirected to some other site which is in control of the attacker from http://ecommerce.shopify.com/accounts
Let's say user is attacker asked victim to login from the here :
https://ecommerce.shopify.com/accounts?return_to=%40evil.com/
When victim enters the password he is redirected to https://evil.com
These can be controlled by the attacker and used in other attacks
Works in all browsers!!
Actions
View on HackerOneReport Stats
- Report ID: 155222
- State: Closed
- Substate: resolved
- Upvotes: 11