Shopify


Most disclosed vulnerability type (49 disclosures) — Cross-site Scripting (XSS) - Generic

zombiehelp54 has disclosed the most with 20 reports!

306 total issues disclosed

$467,387 total paid publicly


Accepts reports via HackerOne



Most recently disclosed


[Information Disclosure] Amazon S3 Bucket of Shopify Ping (iOS) have public access of other users image

@ Submitted by vocotnhan
Bug Type: Information Disclosure

Disclosed on 2020-11-21

Rating: Medium


Self xss in product reviews

@ Submitted by tomorrow_future
Bug Type: Cross-site Scripting (XSS) - Generic

Disclosed on 2020-11-19

Rating: No rating


Rating: No rating


Staff Member can Get POS Access Without User Interaction

@ Submitted by ngalog
Bug Type: None supplied

Disclosed on 2020-11-19

Rating: Medium


Rating: No rating


Rating: Medium


Customer's full name disclosure via Shopify Chat (by email lookup)

@ Submitted by francisbeaudoin
Bug Type: Information Disclosure

Disclosed on 2020-11-19

Rating: No rating


XSS stored in the Shopify Email app

@ Submitted by tomorrow_future
Bug Type: Cross-site Scripting (XSS) - Stored

Disclosed on 2020-11-19

Rating: No rating


authenticity token not verfied leads to change business name

@ Submitted by cforu
Bug Type: Cross-Site Request Forgery (CSRF)

Disclosed on 2020-10-23

Rating: Medium


Undocumented `fileCopy` GraphQL API

@ Submitted by ash_nz
Bug Type: Improper Access Control - Generic

Disclosed on 2020-10-22

Rating: Medium


A staff member with no permissions can edit Store Customer Email

@ Submitted by ash_nz
Bug Type: Insecure Direct Object Reference (IDOR)

Disclosed on 2020-10-22

Rating: Medium


User sensitive information disclosure

@ Submitted by a_yang
Bug Type: Privacy Violation

Disclosed on 2020-10-22

Rating: Medium


Self XSS

@ Submitted by wannacry0x01
Bug Type: Cross-site Scripting (XSS) - Generic

Disclosed on 2020-09-17

Rating: No rating


xss triggered in "myshopify.com/admin/product"

@ Submitted by jaka_tingkir
Bug Type: None supplied

Disclosed on 2020-09-15

Rating: High


xss triggered in "myshopify.com/admin/product"

@ Submitted by jaka_tingkir
Bug Type: None supplied

Disclosed on 2020-09-15

Rating: High