How a Privilege Escalation Led to Unrestricted Admin Account Creation in Shopify

**Executive Summary:** The report documents a privilege escalation vulnerability in a Shopify app that allowed an authenticated low-privilege user to create and authenticate as an administrative account via the /users/create_admin endpoint; researcher @stapia responsibly disclosed the issue, received a $1,600 bounty, and Shopify patched the flaw on 2021-08-25. It includes step-by-step reproduction, identifies causes (improper token scoping, RBAC and PoLP weaknesses), and recommends mitigations such as scoped single-use tokens, stronger authentication, input validation, and periodic permission reviews.