IDOR on GraphQL queries BillingDocumentDownload and BillDetails

The BillingInvoice ID in Shopify’s GraphQL BillDetails query and BillingDocumentDownload mutation is vulnerable to IDOR, allowing an attacker with a valid session to access invoice data of other merchants by swapping invoice IDs. This exposes merchant emails, full addresses, invoice contents, last 4 digits of credit cards or PayPal emails, and shop info without proper authorization checks. The attacker can query invoice details or download invoice PDFs for any merchant by changing the id parameter in the requests, resulting in a significant data leak of billing and partial payment information across multiple merchants.

This summary was generated by AI