Shopify Rails App - Querystring Spoofing

StackOverflow https://stackoverflow.com/questions/17242318

Question

I'm developing a Shopify App with Rails and have been using the query-string to detect which shop is accessing it. This seems vulnerable as users could alter the url to access someone else's settings.

Here's an example:

I click on the preferences link on my app and get redirect to http://example-app.com/preferences?shop=example.myshopify.com and get a page of settings related to the the store: example.myshopify.com

So what's to stop the user from changing the querystring to http://example-app.com/preferences?shop=notmystore.myshopify.com and logging in to a store that they don't own?

Should I use an authentication gem (https://www.ruby-toolbox.com/categories/rails_authentication) and make each user create a username and password to prevent spoofing attacks?

Was it helpful?

Solution 2

I found the solution is to always retrieve the shop url from your session variables and not from the query string:

session[:shopify].url

also make sure this is at the top of each of your controllers to ensure the shopify session exists:

around_filter :shopify_session

as shown in this: https://github.com/Shopify/shopify_app/blob/f9aca7dfc9c29350f7f2c01bb72f77a54ece2b77/lib/generators/shopify_app/templates/app/controllers/home_controller.rb

OTHER TIPS

Interesting. There were live production Shopify App store Apps that did what you did Paul. When I found an App like that, I informed Shopify and they promptly knuckle wrapped the App developer. He learned his lesson pretty quick and was hopefully very embarrassed.

Shopify Partner accounts (free to get) provide you with a nice API token and a corresponding secret for your App that you can use to ensure when you get a merchant trying to access your App that the incoming shop

  • is actually a shop that installed your App and,
  • they have the right to use your App

You should really check that out.

This question may be too localized, but I'll try to give you a direction.

If you are using the query string as the only authentication method, then yes, you will get hacked/spoofed, etc. You need to do some form of authentication. - Shopify provides an API that can probably handle some/most of this for you.

https://github.com/shopify/shopify_api

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top