Domain takeover of shopify based apps

So first of all what is shopify, shopify is a canadian multinational, E-commerce company. Basically it is a cloud service provider that allows you to create an e-commerce website in a super easy way.

I guess everyone is familiar with Subdomain takeover if not Then read this.

https://medium.com/@Hacker0x01/a-guide-to-subdomain-takeovers-ddebe0684a58

Lets Start how i exploit this.

i am not hunting on this target , i found it accidentally. I am searching jeans for me then i remembered my friend suggest me about this target. so i google about that. So first 2 3 result are target.com. before they have domain with another_name.in.

I found another_name.in 5 or 6 th result of google search.When i opened korra.in. i saw this type of error page

So next step is who is the owner of this domain.I opened whois.com and search korra.in

Whosis.com is a application where we can find about domain names. Like they are available or not , who is the owner , expiry date , ip addresses etc etc

This company is parent org of target.com. So till here we know that who own this assets.

Now this is the time to attack….!

I created a trial version account on shopify by the name of target.com which is not required you can give any name.

After that navigate to the sales channel — Domains and in third party domains add the vulnerable domain name. And connect it to the attacker apps

After that attacker app look like this

As you can see i takeover the domain name. I can host anything on this domain

Impact — attacker can run scams with this domain. And company have to face legal issues.

Company doesn’t have the bug bounty program but they rewarded me with small xxxx INR

After bounty