Apps with no Security

[Dave]

So, I just fired up a browser. A fresh session as they say. I then visited a Shopify App that charges money for it's use. I used a valid merchant Shop as the shop name and sent in the ID of a valid resource from that shop. 

Eg:  http://unamed_app.com/do_something?shop=fizzbuzz.myshopify.com&id=1234567

The App responded by showing me the data belonging to the shop fizzbuzz.myshopify.com that I HAD NOT EVEN LOGGED INTO. So, I could essentially change the shop's data as per the App, which had permissions to do so. 

I never had to login to that App, nor the shop. Simply provided the GET parameters, shop and ID. 

Is that normal App behaviour? I thought it was always expected that to use an App, you had to at least login to the App using the merchants shop name, to initiate the oAuth exchange and ensure some measure of security. 

I guess I am missing something special... and forcing my clients to do a dumb login step... when they could always just paste an URL into their browser and just get things done.

Any comments?

[Christopher Saunders]

I think that may simply be a developer making bad technical decisions.  I hope you've gotten a hold of them to let them know about this exploit.

--
 
 
 

[Aaron McLeod]

Yeah just checked my development version on heroku, definitely cannot do that.

--
 
 
 

--
Aaron McLeod
http://agmprojects.com

[Dave]

I figured as much... 

Thanks for the comments... 

[Blair Beckwith]

Hey Dave,

Thanks for pointing this out. Could you get in touch with me privately about the app in question?

Thanks,

--

Blair Beckwith (twitter: @rhomboss)
Developer Advocate // Shopify

--
 
 
 

[Dave]

Sure... I can inform you of the App that has escaped the notice of the gatekeepers. 

I am surprised no merchants noticed that the ease with which they could work with this App was in fact a Klaxon blaring the message  No security here folks, No security here folks.