Self-XSS in password reset functionality
Low
S
Shopify
Submitted None
Team Summary
Official summary from Shopify
While the reporter identified this as an HTML injection, during our investigation we confirmed this was actually an XSS vulnerability but would have required a target to copy and paste a payload themselves. We made an exception to reward this `self-xss` with our minimum bounty given this occurred on `accounts.shopify.com`.
Actions:
Reported by
zeesek
Vulnerability Details
Technical details and impact analysis
Hi,
When I opened this domain of yours,
https://accounts.shopify.com/password-reset/new
I just put the following text into email address box,
<h1 style="color:blue;">█████</h1>
it change the colour of the text.
Well my point here is that if you could inject HTML, you might be able to add a <form> tag
to the page.
I also upload the picture as a proof.
Peace.
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Bounty
$500.00
Submitted
Weakness
Cross-site Scripting (XSS) - Reflected