Это видео недоступно.
Сожалеем об этом.
$37,500 Shopify auth bypass - Hackerone
HTML-код
- Опубликовано: 18 авг 2024
- 📧 Subscribe to BBRE Premium: bbre.dev/premium
✉️ Sign up for the mailing list: bbre.dev/nl
📣 Follow me on Twitter: bbre.dev/tw
This time I have for you more than one bug bounty report. It's three reports in total but all of them affect the same functionality and are tightly correlated. They led to the auth bypass and account takeovers on Shopify and exploited email confirmation flow.
Report links:
hackerone.com/...
hackerone.com/...
hackerone.com/...
Hacker:
hackerone.com/...
/ ngalongc
Reconless channel:
/ @reconless
Follow me on twitter:
/ gregxsunday
Timestamps:
00:00 Intro
00:33 verifying someone's email address
01:28 exploiting email confirmation vulnerability
02:06 first fix
03:50 limited impact and third report
05:20 escalating the impact
#auth #bypass #shopify #hackerone #ato #account #takeover
Welcome to the comment section!
First, thanks for watching!
Make sure you are subscribed if you liked the video!
ruclips.net/user/BugBountyReportsExplained
Follow me on twitter:
twitter.com/gregxsunday
✉️ Sign up for the mailing list ✉️
mailing.bugbountyexplained.com/
☕️ Support my channel ☕️
www.buymeacoffee.com/bountyexplained
🖥 Get $100 in credits for Digital Ocean 🖥
m.do.co/c/cc700f81d215
@Kristian Ian Hello scammer how are you doing
@Kristian IanI don't know if anyone cares this is a scam.Took me just 3 sec to find it out.
Love this format of content! I can tell you put a lot of effort into this
thanks mate! That's very motivating to hear such words ;)
Your videos are simple to understand and awesome.
im happy you think so!
subscribed after just watching two vids, amazing content
awesome, welcome on the board!
Awesome Explanation Buddy
😊
content is perfect - thank you!
👌👌
Please make more such vedios ... It's really helpful ... Thanks
thanks bro, im happy they help you!
are you into hacking stuff too bro?
Great explanation bro
That was really generous of shoppify team to reward bounty twice..... While on the other hand there have been many cases from multiple different programs where the vulnerability was patched and hacker wasnt even rewarded once
I havent hacked on them, but by looking at their reports, they seem really fair with hunters - always responding, explaining the bounty etc.
Nice contents sir! Already subscribed. Hoping that you upload more videos🥳
hey man! Thanks for this information.. keep it up i'm your new subscriber :)
welcome and thank you!
ngalog is a down to earth beast
yes he is!
This is crazy🔥 i was looking for bug on account 2fa system at shopify but didn't got anything
keep trying man!
Ngalog is a beast.
indeed he is
Hi, I have a few questions, I would be grateful if anyone could answer my queries
1) How would the hacker know about the new accounts which have not been confirmed? I am assuming that the confirmation is for new accounts , not for old ones correct me if I am wrong.
2) How did the hacker got to know about the merge accounts path/url?
3) Can't shopify disable/remove the change email id link while confirmating an account?
Ad 1 The hacker would create a new account with his new email and then change his email to victim's email. The attacker does not need to find unconfirmed accounts.
Ad 2 he has probably gone through the whole process of merging accounts multiple times on accounts that he controls. So he knew what happens when and when what link is used
Ad 3 They probably could, but it's possible to fix it other way
@@BugBountyReportsExplained Thanks for the reply. I have one more query. Isn't the confirmation thing for the new accounts only as confirmation happens only when the account is new but not for old accounts?
Thanks for the question. Yes, confirmation is for new accounts only, so the attacker needs to create a new account for each victim.
@@BugBountyReportsExplained Thanks a lot.
New sub here, really amazing content. I love your videos❤️
welcome to the channel!
Thanks for the video =)
This guy looks like every teenage bully in cartoons
Thanks for sharing
thanks for watching
New sub here , please do create more vids like this😎
welcome🤛
But what we will do if the program says how will you get access to the attackers account for changing email address
the attacker's account is the one that you (as the bug hunter) have created
Superb. Please make more videos 👍👌
Im happy you like them, but I put a lot of time into each video and making more might affect quality.
For Hindi....?
Wtf? 2500+5000+7500=37500 ???
your maths is a little bit off :/
@@BugBountyReportsExplained in video i see payment 2500 not 25k, 2500+5000+7500?
@@viktorsamo5500 15k + 15k + 7.5k = 37.5k. The math isn't that hard. Did you only watch the end of the video? You obviously didn't watch the whole thing
❤️
❤️
😕😟