Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

URL Path Manipulation Enables Cache Poisoning of Amazon Affiliate Products in Shopify Linkpop

Low
S
Shopify
Submitted None

Team Summary

Official summary from Shopify

A cache poisoning vulnerability in Shopify's Linkpop allowed attackers to manipulate Amazon affiliate product displays through specially crafted URLs. When victims added legitimate Amazon products, they would unknowingly display the attacker's products instead. In the end, this low severity issue was not fixed as the Linkpop service was scheduled for decommissioning on July 7, 2025.

Actions:
View on HackerOne
Reported by saltymermaid

Vulnerability Details

Technical details and impact analysis

Cache Poisoning
# Summary The fix in report ████████ seems to prevent correctly an attacker from redirecting the request to another domain which was the main issue, however, there is still a way for that attacker to "poison" the cache usin the Amazon domain. I believe the regex used to parse the url is the cause. # Description If an attacker uses a crafted link such as https://amazon.ca/dp/[VICTIM-PRODUCT-ID]/../[ATTACKER-PRODUCT-ID], anyone who will then try to use the "victim" product link https://amazon.ca/dp/[VICTIM-PRODUCT-ID] will be shown the attacker controlled product. This way works even better because when you click the link button on the victim's page, it will even redirect to the attacker's product. # Steps to Reproduce 1. Have two Amazon products ID in hands (which haven't been cached yet) 1.1. Attacker Product ID: `██████` (https://www.amazon.ca/dp/███) 1.2. Victim Product ID: `████` (https://www.amazon.ca/dp/███████) 2. In your attacker's Linkpop account, add a new Amazon product using the following crafted link `https://amazon.ca/dp/[VICTIM-PRODUCT-ID]/../[ATTACKER-PRODUCT-ID]` and make sure to replace the placholders 2.1. Based on the ID's in step \#1, you could use the following link `https://amazon.ca/dp/███/../████████` 3. Now, in the victim's Linkpop account, try to add the following product https://www.amazon.ca/dp/█████████, which is the "victim" product ID from step \#1. At that point you should be faced with the attacker's product (███) instead of the victim's product (███s). # Notes You can test the POC with the IDs I've provided. I haven't used them and luckily they won't be in the cache yet. If they are, you should notice it when adding the product as it will resolve very quickly (< 1s). If it doesn't work you you will have to find new product IDs. ## Impact An attacker is able to manipulate the caching system to its avantage by sending a crafted link which can trick victims to unintentionally link a spoofed Amazon product to their Linkpop accounts.

Report Details

Additional information and metadata

State

Closed

Substate

Resolved

Bounty

$500.00

Submitted

Weakness

Cache Poisoning