CSRF on connecting Paypal as Payment Provider

A potential CSRF vulnerability exists in Shopify's PayPal integration. The merchantId parameter, used to link a store to a PayPal account, acts as a static secret rather than a per-request CSRF token. If this value is ever exposed, an attacker could craft a URL that forces a store admin to connect the attacker's PayPal account to their store. Exploitation is largely theoretical since the merchantId is long and unguessable, but exposure of this static token would allow unauthorized linking of payment accounts.

This summary was generated by AI