Discovering a Critical Vulnerability in a Shopify App: Loox Reviews

I’m no stranger to stumbling upon oddities in software, and this time, I found something big—a vulnerability in a popular Shopify app, Loox Reviews that made me raise an eyebrow. Loox, a well-known reviews app that many Shopify merchants use to build credibility with customer feedback. What I found was a critical flaw that could expose sensitive customer data, all because of an insecure direct object reference (IDOR). 
Please note this vulnerability was discovered and fixed in 2023, this blog post is a post-mortem.

The Vulnerability: What Was the Issue?

It all started with a seemingly innocent GET request. I was poking around the Loox reviews widget for some work project when I noticed something odd. Loox uses publicly accessible merchant IDs as part of their request URL. No big deal, right? Well, it became a big deal when I realized that by simply modifying the merchant ID in the URL, I could access another merchant’s review data—including sensitive customer information, such as email addresses, review content, and admin settings. It's one thing to access publicly-available information, product reviews in this case, but this was much more.

To make matters worse, this didn’t even require any sort of authentication. Anyone, even if not logged in to Shopify, could exploit this vulnerability. All an attacker had to do was find a merchant ID (easily scraped from public pages) and modify a URL. With that simple change, you could pull down entire CSV files filled with reviews and customer data.

The Technical Breakdown

At the core of the issue was Loox’s hash generation mechanism. When a URL is requested, Loox generates a hash via a public URL, and this process bypasses standard authentication protocols. The system allowed anyone with the right merchant ID to manipulate the URL, grab an export hash, and download review data—all without needing a valid login.

MuStack MicroVM: An Overcomplicated Solution to a Problem That Doesn't Exist

I have a habit of diving headfirst into projects that are fun but maybe not super useful. A project I worked on a few months ago  MuStack MicroVM (msmv) —a project that took far more effort than necessary to create something that, in all honesty, I’ll probably never use again. But hey, at least it works, right?

 

So, What Exactly is msmv?

At its core, MuStack MicroVM is a minimalistic Linux virtual machine build system. Think Docker, but without all the convenience and with way more manual labour involved. It's designed to create lightweight, secure, and isolated virtual machines for testing environments. Perfect if you're someone who enjoys the thrill of complexity, like building a ship in a bottle—but digitally. Plus, I'm a sucker for naming projects with an acronym.

Tags

Remote code execution on no-name wifi repeaters: Part 2

After bricking the last wifi repeater in my last post, I was determined not do that again. At least not intentionally.

This time around, I purchased the same model as before (U13) as well as three more units of a different model, for $10 and $7 CAD respectively. The goal here is to get root access via SSH/telnet and use these devices as general purpose Linux single board computers. With an ethernet port, built in power supply and wifi, these boards are great for single-purpose servers.

 

New hardware

 

These models kept popping up in recommended items in the Aliexpress app, so I thought I would check it out. Just like the previous model, there's no technical information about these devices or who makes them. All we know is that there's an ethernet port, it has 2.4Ghz wifi...and that there's a WPS button. Some listings display the brand as iMice but nothing turns up on Google. 


Searching around YouTube, I was able to find branded devices using the same hardware:

  • MECO WIFI Wireless Signal Amplifier 
  • Accmor 300Mbps 802.11 n Wireless WiFi Repeater
  • AMAKE Wifi Repeater 300M Range Extender
  • NoyoKere Wifi Repeater 300Mbps Range Expander
  • Seaidea 300Mbps Wireless-N Mini Wifi Repeater
  • iMeshbean® Wifi Repeater 300M Range Extender
  • NINISEI Wifi Router/Repeater
  • F&M Wireless-N 300Mbps 2.4G Wifi Repeater
  • PIX-LINK WR03 Wireless WiFi Repeater 
  • Wi-Fi Repeater XY-300MZJ1

One funny misspelling is the username "admim" on the sticker:

The 4 LED model seems to differ from the 7 LED model, and on the latter model listing the seller displays the chipset as RTL8196E with 16MB flash and 128MB RAM.

Software


Plugging the device into the wall, and going to the printed address (192.168.11.1) we get a very familiar web admin UI. This time, the manufacturer decided to use orange instead of blue.

Tags

Getting root access on a $10 Aliexpress Wifi repeater

I have a fixation of buying little electronic trinkets and gadgets on foreign websites for cheap prices. Something about the cost of such little things, and that it takes 3-4 weeks to arrive to my door, provides me with excitement when I visit the post office to pick up my parcels. Lately, I purchased some ESP32 and ESP8266 boards for around $3, and various other programmers and jumper cables for around the same price point. It makes experimenting with a new project fun and inexpensive (great if you like to drop projects after a month too).

In the hot summer we're having out here, I like to sit in my yard and read online tech news and blogs on my phone. Being the hedonistic person I am, I cannot wait 3-4 seconds for a page to load. The wifi coverage at my house is sufficient in doors, but when I go 150 yards away, it can be abysmal. 

 

The purchase



So, in my regular late night Aliexpress shopping sprees, I found a $10 ($7 USD) wifi repeater that might fit the bill. 

It seems the price has gone up since I purchased the device

There's really no information about this device, anywhere. No model number. These seem to get the model numbers of AC1200M and also U13 if you poke around Aliexpress. If you look on Amazon, you'll find the exact same model selling for over double. It seems to connect this device to your wifi network, you use the WPS button and voila, it connects and you have a repeated signal.

So when it finally arrived the other day, I plugged it into the wall, followed the not-so-cryptic instruction manual and I was on my way. 

Tags

Small software and fun with an ESP8266

I enjoy building small, self-contained software for the pure joy of simplifying what you build. Building complex software is easy; small and maintainable software is not (not always anyway).
To take that same vein of thought, I have been working on a floppy-sized Linux distro (fluxflop) for the pure fun of how small I can build the Linux kernel, while keeping it usable. Running make tinyconfig is easy enough, but how small can you truly make the kernel? 

In my quest to find any resources on this, I stumbled upon Linux Tiny. It's a set of patches (with the intention of getting the patches merged into mainline to make future builds easier) that can slim down the kernel and add additional Kconfig options for reducing the compiled size. The project has not been updated since approx 2007 and uses Linux 2.6.23.0. Backporting these patches (whats the opposite of backport with newer software? haha) would take time and it's not guaranteed that the patch intention would work the same. Well, with too much time on my hands, I dug deep and did just that. You can see the git repo here with updated patches for Linux 6.9. Now, they are not guaranteed to work for everyone and every arch, but for i386 I was able to shave off about ~80KB which doesn't seem like much, but it all adds up in the end. For fluxflop, I was able to trim bzImage down to 712KB, and an aarach64 kernel down to about 820KB. 

I found this presentation that Matt Mackall gave in 2004 for the introduction of Linux Tiny. In the slides, it is mentioned that the Linux kernel produced, with net, EXT2, a NIC (not mentioned which one) and IDE, was 363KB! Very impressive. For my project, that 712KB is without /dev/ram, no filesystems, network capabilities, VGA and not even PS/2. All over serial too, so good luck having it be any use on a desktop box. Still, this is something to aim for. I would be curious to replicate the results in the presentation to build a 720KB floppy-sized Linux distro.
 

Tags

Browse the [modern] web in Internet Explorer 5 & 6

Here's something fun: Enable HTTPS browsing on IE5/Windows 98 with a Flask proxy that handles SSL and rewrites web content.

Windows 98 IE 6 Screenshot

For whatever reason, I have a Windows 98 virtual machine in UTM (which is fantastic on Apple Silicon) that I like to boot in to and take a trip down memory lane. It's fun, and painful at the same time. But, the modern web has moved on from Internet Explorer 6 (and Internet Explorer in general, but we're not celebrating that in this post). Lost in the dust, Internet Explorer of the Windows 98 days doesn't quite work anymore. IE6, released in 2001, came with support for SSL 2.0 and 3.0, and later updates added support for TLS 1.0. At the time, this was sufficient. The web was a different place, less sophisticated in both the technology it used and the threats it faced (generally speaking, of course).

Leaking custom GPTs prompts for fun

OpenAI released the GPT Store earlier this week, allowing users to share their prompts with anyone with ChatGPT Plus. This follows the GPT Builder program's introduction, allowing users to create tailored chatbots for various tasks. The store has reviews and even a revenue-sharing feature for custom GPTs.

I am not swayed by anyone's custom [instruction] GPT, there are many posted to Reddit and around the web touting their benefits. Well, I had some time this weekend and spent some time learning about prompt injection and how to leak the initial prompt.
 


Backstory
 

For creating a custom GPT, you can include specific instructions (duh) as well as include documents and interact with web APIs.
 

Tags

Failing HTTPS proxy with Ngrok on Railway.app

I've been a fan of free code to cloud deployment services (PaaS) like Railway.app and Fly.io to launch my fly-by-night ideas. They both offer generous free tiers that will allow you to run your code (Node, Python, etc) on their platform and host it for whatever use. The downside of all these different PaaS companies is that they call come with their own CLI that you must learn, with different syntax. Regardless, deploying from Git is easy enough and in fact simpler. Anyway.

 

I've been working on a new project that I think I'll turn into a SaaS eventually. A part of the project uses Google OAuth to login to the user dashboard. Setting up a new application in Google Cloud Platform is easy enough, make your keys, set your permission scopes and voila; instant Google SSO for your custom application. A part of this is specifying your redirect and callback URLs. 

 

Tags

The New Unicomp IBM Model M

I've had my IBM Model M for over 10 years (even though it predates me) and it's been a staple in my computing. Nothing has been more of a staple and a constant in my life than that keyboard.

Unfortunately the left shift key pivot key became loose, and thus the left shift became unreliable. After looking at finding replacement parts, the one place that sells the part...also sells brand new Model M's. Killing two birds with one stone and I just ordered the Unicomp IBM Model M

Coming from the 139041 model, I gained a Window key (Tux key as you can see) and opted for the larger spacebar.

New Unicomp Model M