Shopware App Registration Flow Vulnerability Allowing App Credential Takeover

A vulnerability exists in the Shopware app registration process prior to versions 6.6.10.15 and 6.7.8.1. This issue allows attackers, under certain conditions, to intercept and hijack the communication channel between a shop and an app. The problem arises from the legacy registration flow, which employed HMAC-based authentication without properly binding a shop installation to its original domain. During the re-registration process, the shop URL could be changed without verifying control over the previously registered domain. This flaw made it possible for attackers with knowledge of specific app-side secrets to redirect app traffic to a domain they controlled, potentially gaining access to API credentials meant for the legitimate shop.

Impact

Exploitation of this vulnerability could lead to unauthorized interception and manipulation of app-to-shop communication, allowing for 'data poisoning' attacks. Additionally, an attacker could obtain API integration credentials for the shop, with access rights granted to the app. This issue could cause apps to malfunction, masking the underlying security problem.

Remediation

Shopware users should update to the latest versions 6.6.10.15 or 6.7.8.1. For those using older versions, the latest Shopware Security Plugin can be installed or updated. App manufacturers should also update to the latest Shopware app SDKs or apply the necessary changes to their custom implementations.