Account Takeover Vulnerability in Shopify Collabs Platform Due to Missing Email Verification

## Summary: Shopify collabs (collabs.shopify.com) is a new platform for content creators / influencers to discover and advertise the millions of brands of Shopify. The content creators can apply for different brands on this platform and get paid (affiliate marketing). In the past, the features of this new platform were provided by Dovetale (https://dovetale.com), but Dovetale was now * migrated to Shopify (via an extra app https://apps.shopify.com/collabs) for the **brands** * replaced by the new platform collabs.shopify.com for the **creators** I found a way to take over the account of **arbitrary creators** by using the new platform collabs.shopify.com. If a creator applies to be an ambassador of a brand with his email address, an attacker is also able to create a new Shopify ID and sign up at collabs.shopify.com with the **victim's email address**. Due to the fact that there is no email verification needed for using collabs.shopify.com, the attacker is thus able to take over the victim's account. ## Shops Used to Test: ██████ ## Steps To Reproduce: ### Setup 1. (Brand) Install the new Shopify collabs app (https://apps.shopify.com/collabs) to your store and create an application page for the creators 2. (Victim/Creator) Use the public link to apply for being an ambassador for the brand. You can find the link in the Dashboard of the app: {F1875876} 3. (Victim/Creator) Follow the application process. Choose an email address ([email protected] in my case), specify a social media account of you (e.g. Instagram `adidas` handle) and submit the application {F1883140} ██████ {F1883143} 4. (Victim/Creator) You should now receive an email to verify your account: {F1883144} {F1883145} 5. (Victim/Creator) Click on the button within the email to verify your email address. You should automatically logged in to your Dovetale account and the brand should have received your application: {F1883146} 6. (Brand) You should have received a new application: ██████ In this state, an attacker is able to take over the victim's account... ### Exploitation A **malicious staff member** of the brand or an **arbitrary attacker** is now able to take over the victim's account by doing following steps: 1. (Attacker) Visit https://www.shopify.com/collabs/find-brands and "Apply for early Access" 2. (Attacker) You now have to create a new Shopify ID. Use the email address of the creator/victim ([email protected] in my case) for the new Shopify ID: {F1883153} 3. (Attacker) You should now be redirected to the https://collabs.shopify.com/onboarding **without** needing to verify the email address!!! Just follow the onboarding procedure and you should finally be able to use the platform / be on the waiting list. {F1883166} {F1883169} 4. (Attacker) Now the attacker just have to wait until the pending application was approved by the brand. 5. (Brand) Approve the application from the creator: ██████████ 6. (Victim) The victim gets a notification email that he was approved => Click on the button to accept the collaboration. If the session of the victim is still alive, the collaboration gets accepted and the attacker was already able to take over the victim's account (in this case you can go ahead with step 10.). Otherwise, the victim should now be notified that an account with this email address already exists: {F1883208} 7. (Victim) The victim is not able to enter his password because he has not yet specified a password. Thus, the victim is now blocked or...is resetting his password via the "Forgot your password" functionality 8. (Victim) Follow the password reset flow and specify a password: {F1883222} 9. (Victim) Click again on the button in the email to accept the application. The collaboration should now be accepted and the victim should be logged in: {F1883226} ███ 10. (Attacker) The account was now successfully taken over. The attacker is now also able to log in via collabs.shopify.com and use the account and perform any actions (I used https://hackerone.com/reports/1674731 to bypass the waiting list status of collabs.shopify.com) : {F1883231} {F1883233} ## Impact An attacker is able to take over the account of a creator by creating a new Shopify ID with the victim's email address and by using the new platform collabs.shopify.com. Or an attacker is able to block any user by creating a Shopify ID with the victim's email address => The victim is not able to apply to be an ambassador of a brand