List of devices is accessible regardless of the account limitations

Disclosed: 2015-11-10 22:44:06 By rms To shopify

Unknown

Vulnerability Details

List of devices is accessible regardless of the account limitations. **PoC** . Create a limited account A with no rights. . Log some devices with a different account B. . From account A, GET /admin/mobile_devices.json. . List of devices.

Actions

View on HackerOne

Report Stats

Report ID: 97535
State: Closed
Substate: resolved
Upvotes: 3

List of devices is accessible regardless of the account limitations

Vulnerability Details

Actions

Report Stats

Share this report