Read on Twitter
might be finally time to show what I used to be able to do with Shopify in 2018.
The timers were from picking up the product. And they are correct.
0.248 ms from Product pickup to payment submitted.
I had captcha completely bypassed. 1/X
The timers were from picking up the product. And they are correct.
0.248 ms from Product pickup to payment submitted.
I had captcha completely bypassed. 1/X
This is roughly how many pairs were hit. And we're talking limited edition things as well.
I wasn't missing a release. Wiping all stock. Having early links for products was a guaranteed cop. There was a time no one would touch on Kith, because I would be running that many tasks.
I wasn't missing a release. Wiping all stock. Having early links for products was a guaranteed cop. There was a time no one would touch on Kith, because I would be running that many tasks.
2,800 of those checkouts were just on Kith.
should i explain how i originally found the method?... pretty crazy story.
This was the checkout that I found it on. It was the first-ever time I had noticed Google checkouts, apple pay checkouts etc added to Shopify. It was a very very recent addition to Shopify stores. I hunted around this for some time..
I found an endpoint that many bots probably still use something similar to this day - but at that point, no one was generating backend checkout IDs, everything was done frontend...
these were the days where all public bots were pulling csrf tokens with BeautifulSoup before submitting the next page...
I was getting early links supplied to myself, so I could pull all variants and things early, setup a full checkout with the address and card already prefilled, it was just ATC+Confirm, and it was done through a direct API. No backend.
Might have to find some code/logs of like a tonne of checkouts somewhere.. give me a sec
github commits for when i found the exploit, and completely re-wrote the whole bot ground up in a week
pushing around 1905 lines just on the shopify module. these days with all the new bot protection etc its probably nothing.
And if I had the coding experience I do now, versus what I did back then I couldn't imagine what I could have done.
And if I had the coding experience I do now, versus what I did back then I couldn't imagine what I could have done.
