Periscope android app deeplink leads to CSRF in follow action

This report describes a potential CSRF vulnerability in Shopify's PayPal integration. The merchantId parameter, which links a store to a PayPal account, functions as a static secret instead of a proper per-request CSRF token. If the merchantId is ever exposed (e.g., through logs or prior admin access), an attacker could craft a URL that tricks a store admin into connecting the attacker's PayPal account to the victim store. Exploitation is mostly theoretical due to the long, unguessable nature of the merchantId, but exposure of this static value would allow unauthorized linking of payment accounts.

This summary was generated by AI