Medium
resolved
resolved
Limited Privilege User Can Create Unauthorized Referrals on partners.shopify.com
Bug reported by Samuel was disclosed at March 20, 2025, 8:23 pm | Improper Access Control - Generic
A privilege escalation vulnerability was discovered in Shopify's Partner Portal that allowed users without the "View referrals" permission to create POS leads by directly accessing the lead creation URL. The backend API lacked proper authorization checks, enabling users to bypass the restrictions implemented in the user interface and submit referrals without the necessary permissions.
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
