Practise like a pro Shopify
Most disclosed vulnerability type (49 disclosures) — Cross-site Scripting (XSS) - Generic
zombiehelp54 has disclosed the most with 20 reports!
Shopify's top public payouts
- Shopify rewarded SSRF in Exchange leads to ROOT access in all instances with a
$25,000bounty! - Shopify rewarded Takeover an account that doesn't have a Shopify ID and more with a
$22,500bounty! - Shopify rewarded Email Confirmation Bypass in your-store.myshopify.com which leads to privilege escalation with a
$22,500bounty! - Shopify rewarded Shopify admin authentication bypass using partners.shopify.com with a
$20,000bounty! - Shopify rewarded Ability to bypass partner email confirmation to take over any store given an employee email with a
$15,250bounty!
Most recently disclosed
Low Privileged Staff Member Can Export Billing Charges
@ Submitted by ash_nz
Bug Type: Improper Access Control - Generic
Disclosed on 2020-11-26
[Information Disclosure] Amazon S3 Bucket of Shopify Ping (iOS) have public access of other users image
@ Submitted by vocotnhan
Bug Type: Information Disclosure
Disclosed on 2020-11-21
Self xss in product reviews
@ Submitted by tomorrow_future
Bug Type: Cross-site Scripting (XSS) - Generic
Disclosed on 2020-11-19
Staff with no permissions can listen to Shopify Ping conversations by registering to its different WebSocket Events
@ Submitted by francisbeaudoin
Bug Type: Information Disclosure
Disclosed on 2020-11-19
XSS stored in the Shopify Email app
@ Submitted by tomorrow_future
Bug Type: Cross-site Scripting (XSS) - Stored
Disclosed on 2020-11-19
Customer's full name disclosure via Shopify Chat (by email lookup)
@ Submitted by francisbeaudoin
Bug Type: Information Disclosure
Disclosed on 2020-11-19
Privilege Escalation in Point Of Sale Application from POS Manage Staff Role to potentially Store Owner
@ Submitted by francisbeaudoin
Bug Type: None supplied
Disclosed on 2020-11-19
Order lookup features of Shopify Chat Application leads to customer orders enumeration due to lack of user input validation
@ Submitted by francisbeaudoin
Bug Type: None supplied
Disclosed on 2020-11-19
Staff Member can Get POS Access Without User Interaction
@ Submitted by ngalog
Bug Type: None supplied
Disclosed on 2020-11-19
Staff with no permissions can listen to Shopify Ping conversions by registering to its different WebSocket Events
@ Submitted by francisbeaudoin
Bug Type: Information Disclosure
Disclosed on 2020-11-19
authenticity token not verfied leads to change business name
@ Submitted by cforu
Bug Type: Cross-Site Request Forgery (CSRF)
Disclosed on 2020-10-23
User sensitive information disclosure
@ Submitted by a_yang
Bug Type: Privacy Violation
Disclosed on 2020-10-22
A staff member with no permissions can edit Store Customer Email
@ Submitted by ash_nz
Bug Type: Insecure Direct Object Reference (IDOR)
Disclosed on 2020-10-22
Undocumented `fileCopy` GraphQL API
@ Submitted by ash_nz
Bug Type: Improper Access Control - Generic
Disclosed on 2020-10-22
Self XSS
@ Submitted by wannacry0x01
Bug Type: Cross-site Scripting (XSS) - Generic
Disclosed on 2020-09-17