Create free Shopify application credits ($2900 USD)
Original Post:
We discussed this vulnerability during Episode 81 on 13 September 2021
The Shopify GraphQL endpoint has a mutation appCreditCreate
for Shopify apps to issue credits to merchants that can be used towards future app purchases. While this mutation cannot be used through the GraphQL endpoint at /admin/internal/web/graphql/core
the GraphiQL app provided by Shopify however does allow the mutation. Allowing unauthorized users to create credits