Shopify Refuses to Fix RFD Vulnerability

Portuguese Web security researcher David Sopas has uncovered an RFD (Reflected File Download) vulnerability on Shopify’s platform, which, according to his vulnerability disclosure, the company refused to patched.

An RFD (Reflected File Download) attack relies on hackers crafting URLs which when clicked by their victims open a file download that seems to be coming from a trusted domain.

Because the source of this kind of downloadable files can be sites like Google, Microsoft, Twitter, and so on, users generally tend to click them and execute the malicious payload without even thinking twice about it.

Shopify Refuses to Fix RFD Vulnerability

One such vulnerability was found on Shopify, an online platform which allows users to easily set up online shops using a visual interface, and then have them hosted on Shopify’s cloud infrastructure.

According to the research carried out by Mr. Sopas, the app.shopify.com domain is susceptible to a Reflected File Download attack which would allow hackers to trick users into downloading dangerous files onto their computers.

The RFD attack is exploitable via old and new browsers alike

In Internet Explorer 8 and 9, Mr. Sopas claims that by accessing a malformed link, users will be faced with the option of downloading a simple .bat file.

While in his example the .bat file only opened a Chrome browser instance and redirected the user to a Web page showing some raw text, he says that attackers won’t be so unimaginative and would use this vulnerability to execute more dangerous code, which would grant them access to the user’s PC, in case they don’t just redirect them to a Web page serving an exploit kit.

The RFD vulnerability is also exploitable via newer browsers, not just old IE versions, but the file needs to be declared via a “download” attribute inside a linkable element on the page, and not integrated in the malicious URL like in IE.

When the user eventually clicks the malformed link, he is greeted by the same download confirmation popup, with the file’s location being from Shopify.

“In my opinion this was the last time I’ll send anything to Shopify,” noted Mr. Sopas after being told “that their prioritization is not up for discussion and [Shopify is] not patching any time soon.”

The vulnerability was discovered on March 19, 2015, and is still unpatched. This will probably change after the InfoSec media covers this story for a few days.

track

Advertisements

About webimprint

Webimprints is the leading company which provides global information security services to the client around the World.
This entry was posted in Vulnerabilidad. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s