What is Account Takeover?

Account takeover (ATO) is a type of cyber attack where an unauthorized person gains access to a user’s account. This can happen due to various factors such as weak passwords, phishing attacks, or unpatched software. Attackers can use the compromised account to perform fraudulent activities or steal sensitive information.

The Story

In 2020, a security researcher known as “ngalog“ revealed a significant security flaw in Shopify’s email confirmation system thus allowing one to escalate it to a shopify account takeover. According to the report, any individual could take over any store account through bypassing the email confirmation step on *.myshopify.com. The researcher found a way to confirm arbitrary emails, and after confirming an arbitrary email in *.myshopify.com, the user would then be able to integrate with other Shopify stores that share the same email address by setting a master password for all of the stores, effectively taking over every Shopify store by knowing just the owner’s email address.

Ngalog Explain Step by Step To Reproduce

The flaw occurs because Shopify’s email system mistakenly sending the confirmation link for a new email address address to the one used to sign up.

The bug in the email system allows users to confirm an arbitrary email address, leading to a takeover of the user’s Shopify instance by taking advantage of the Single Sign-On (SSO).

The steps to reproduce the vulnerability are simple. One needs to visit the Shopify website and sign up for a free trial with an email address that can receive emails.

Then, the user must change their email address to someone they want to take over and save it. Upon receiving the confirmation email, the user can click on the link sent by the email system and confirm the arbitrary email address.

With the ability to confirm arbitrary emails on *.myshopify.com, the attacker can leverage the SSO to set a master password for all other stores under the same email address. This way, the attacker gains access to all the stores connected to the email address.

Earn a USD 15,000 Bounty and USD 1,000 for being the Most Impactful Hacker in Shopify

This flaw has significant security implications, and Shopify has recognized this by rewarding ngalog with a total of $15,000.

Shopify has also offered a $1,000 reward to the most impactful hacker of 2020 based on the number of valid reports and bounties earned.

Shopify urged all its users to update their passwords and check their email records for any suspicious activities. The company also released a patch to fix the vulnerability in its email confirmation system. As the security researcher’s report shows, even big companies like Shopify can still have vulnerabilities that can be exploited by hackers.

Hence, it is essential to remain vigilant and implement security measures to prevent any unauthorized access to sensitive information.

How to Prevent Account Takeover?

To prevent account takeover, it is essential to implement several measures to protect user accounts from unauthorized access. One of the most important measures is to encourage users to create strong and unique passwords for each account. Passwords should be complex and difficult to guess, and users should avoid using the same password across multiple accounts.

Here are some steps to prevent Account Takeover:

1. Multi-factor authentication is another essential measure to prevent account takeover. By requiring additional authentication factors beyond passwords, such as SMS codes, biometric scans, or security tokens, fingerprint, multi-factor authentication (2fa) provides an extra layer of security to protect against unauthorized access.
2. Conduct regular security testing: Conduct regular security testing to identify vulnerabilities and weaknesses in the application, including penetration testing, vulnerability scanning, and code review.
3. Implement security best practices: Ensure that application development follows security best practices, such as implementing hashing in parameter or value, using salting passwords, and using secure coding techniques.
4. Regular security updates and patches are also critical for preventing account takeover. Keeping software, firmware, and operating systems up-to-date ensures that known vulnerabilities are patched and that the account is secured against potential threats.
5. Use access controls: Implement access controls to limit access to sensitive parts of the application and data. This includes role-based access control (RBAC), permission levels, and authentication and authorization mechanisms.
6. In addition, monitoring user accounts for suspicious activity can help prevent account takeover. By analyzing login patterns and user behavior, security teams can quickly detect and respond to potential security breaches before they cause significant damage.
7. Finally, user education and awareness are also essential for preventing account takeover. Users should be educated on best practices for creating and managing strong passwords, how to detect and report suspicious activity, and how to avoid phishing and social engineering attacks.

Hackerone Report: here