| Bypass a fix for report #708013 |
Brute Force |
scaramouche31 |
Medium |
2021-12-07 |
| xss is triggered on your web |
Cross-site Scripting (XSS) - DOM |
jaka_tingkir |
Medium |
2021-12-06 |
| [h1-2102] Wholesale - CSRF to Generate Invitation Token for a Customer and Move Customer to Invited Status |
Cross-Site Request Forgery (CSRF) |
rhynorater |
Low |
2021-12-06 |
| Staff can use BULK_OPERATIONS_FINISH webhook topic using Graphql without permissions all |
Privilege Escalation |
yinvi777 |
Medium |
2021-12-04 |
| Unathorised access to admin endpoint on plus-website-staging5.shopifycloud.com |
Improper Access Control - Generic |
j0j0 |
Medium |
2021-12-03 |
| Ability to add address without being an admin or staff in the store via wholesale store |
None supplied |
hydraxanon82 |
Low |
2021-12-03 |
| [h1-2102] [Yaworski's Broskis] Suspected overcharge and chargebacks in PoS |
Business Logic Errors |
c0rv4x |
Low |
2021-12-03 |
| Bypassing HTML filter in "Packing Slip Template" Lead to SSRF to Internal Kubernetes Endpoints |
None supplied |
cthulhufhtagn |
Low |
2021-12-02 |
| Insufficient session expiration in the **com.shopify.ping** android app |
Insufficient Session Expiration |
fr4via |
Low |
2021-11-26 |
| Sidekiq dashboard exposed at notary.shopifycloud.com |
Information Disclosure |
youstin |
Medium |
2021-11-25 |
| A non-privileged user may create an admin account in Stocky |
Privilege Escalation |
stapia |
Medium |
2021-11-25 |
| Staff who only have apps and channels permission can do a takeover account at the wholesale store (Bypass get invitation link) |
None supplied |
hydraxanon82 |
Medium |
2021-11-21 |
| Apache Flink Dashboard exposure at https://streaming-sales-model-production.flink.shopifykloud.com |
Information Disclosure |
savik |
None |
2021-11-18 |
| Open Redirect in www.shopify.dev Environment |
Open Redirect |
beerboy_ankit |
Medium |
2021-11-18 |
| Blog posts atom feed of a store with password protection can be accessed by anyone |
Information Disclosure |
xenx |
Medium |
2021-11-08 |
| Senseitive data Related to Shopify Host -> https://shopify.zendesk.com/ |
Cleartext Storage of Sensitive Information |
sam_exploit |
None |
2021-11-08 |
| Shopify.com Web Cache Deception vulnerability leads to personal information and CSRF tokens leakage |
Violation of Secure Design Principles |
golim |
Low |
2021-10-21 |
| Domain Takeover at 3hopify.media |
Privilege Escalation |
m7mdharoun |
None |
2021-10-21 |
| Store Deletion or Sell without authentication |
Improper Authentication - Generic |
fr4via |
Low |
2021-10-21 |
| Create free Shopify application credits. |
Improper Access Control - Generic |
jmp_35p |
Medium |
2021-09-10 |
| Improper Input Validation on https://oberlo-image-proxy.shopifycloud.com/ |
None supplied |
riramar |
None |
2021-08-16 |
| Github access token exposure |
None supplied |
augustozanellato |
Critical |
2021-07-26 |
| your-store.myshopify.com preview link is leak on third party website lead to preview all action from store owner Without store Password. |
Improper Authentication - Generic |
danishalkatiri |
Medium |
2021-07-12 |
| Removing parts of URL from jQuery request exposes links for download of Paid Digital Assets of the most recent Order placed by anyone on the store! |
None supplied |
superbsic |
Medium |
2021-07-08 |
| Add new managed stores without permission |
Improper Access Control - Generic |
jmp_35p |
Medium |
2021-07-08 |
| Low Privileged user can add or remove cash to/from sales register |
Privilege Escalation |
sandeep_rj49 |
Low |
2021-06-16 |
| Add new development stores without permission |
Improper Access Control - Generic |
jmp_35p |
Medium |
2021-06-04 |
| XSS at https://exchangemarketplace.com/blogsearch |
Cross-site Scripting (XSS) - Generic |
fatal0 |
Medium |
2021-04-09 |
| https://themes.shopify.com::: Host header web cache poisoning lead to DoS |
Denial of Service |
g4mm4 |
Medium |
2021-04-08 |
| [h1-2102] FQDN takeover on all Shopify wholesale customer domains by trailing dot (RFC 1034) |
Incorrect Permission Assignment for Critical Resource |
intidc |
Medium |
2021-03-25 |
| Informations disclosure - Access to some checkout informations |
None supplied |
francisbeaudoin |
Medium |
2021-03-13 |
| Low Privileged Staff Member Can Export Billing Charges |
Improper Access Control - Generic |
ash_nz |
Medium |
2020-11-26 |
| [Information Disclosure] Amazon S3 Bucket of Shopify Ping (iOS) have public access of other users image |
Information Disclosure |
vocotnhan |
Medium |
2020-11-21 |
| Self xss in product reviews |
Cross-site Scripting (XSS) - Generic |
tomorrow_future |
No rating |
2020-11-19 |
| Staff with no permissions can listen to Shopify Ping conversions by registering to its different WebSocket Events |
Information Disclosure |
francisbeaudoin |
No rating |
2020-11-19 |
| Staff Member can Get POS Access Without User Interaction |
None supplied |
ngalog |
Medium |
2020-11-19 |
| Order lookup features of Shopify Chat Application leads to customer orders enumeration due to lack of user input validation |
None supplied |
francisbeaudoin |
No rating |
2020-11-19 |
| Privilege Escalation in Point Of Sale Application from POS Manage Staff Role to potentially Store Owner |
None supplied |
francisbeaudoin |
Medium |
2020-11-19 |
| Customer's full name disclosure via Shopify Chat (by email lookup) |
Information Disclosure |
francisbeaudoin |
No rating |
2020-11-19 |
| XSS stored in the Shopify Email app |
Cross-site Scripting (XSS) - Stored |
tomorrow_future |
No rating |
2020-11-19 |
| Staff with no permissions can listen to Shopify Ping conversations by registering to its different WebSocket Events |
Information Disclosure |
francisbeaudoin |
No rating |
2020-11-19 |
| authenticity token not verfied leads to change business name |
Cross-Site Request Forgery (CSRF) |
cforu |
Medium |
2020-10-23 |
| A staff member with no permissions can edit Store Customer Email |
Insecure Direct Object Reference (IDOR) |
ash_nz |
Medium |
2020-10-22 |
| User sensitive information disclosure |
Privacy Violation |
a_yang |
Medium |
2020-10-22 |
| Undocumented `fileCopy` GraphQL API |
Improper Access Control - Generic |
ash_nz |
Medium |
2020-10-22 |
| Self XSS |
Cross-site Scripting (XSS) - Generic |
wannacry0x01 |
No rating |
2020-09-17 |
| Email Confirmation Bypass in your-store.myshopify.com which leads to privilege escalation |
Privilege Escalation |
say_ch33se |
Critical |
2020-09-15 |
| Email Confirmation Bypass in your-store.myshopify.com which leads to privilege escalation |
Privilege Escalation |
say_ch33se |
Critical |
2020-09-15 |
| CircleCI token in github repo allows for access to sensitive build information |
Information Disclosure |
dwimmerlaik |
No rating |
2020-09-15 |
| staff can able to extend shopify trial period without admin permission |
Improper Access Control - Generic |
risinghunter |
Low |
2020-09-15 |
| xss triggered in "myshopify.com/admin/product" |
None supplied |
jaka_tingkir |
High |
2020-09-15 |
| A staff without export customers permissions can still export customers CSV file |
Improper Access Control - Generic |
ryat |
No rating |
2020-09-15 |
| xss triggered in "myshopify.com/admin/product" |
None supplied |
jaka_tingkir |
High |
2020-09-15 |
| Partner's non-verified business email change reflected into Shopify Collaborator Request |
Improper Access Control - Generic |
francisbeaudoin |
No rating |
2020-09-14 |
| XSS within Shopify Email App - Admin |
Cross-site Scripting (XSS) - Stored |
francisbeaudoin |
No rating |
2020-09-14 |
| XSS / SELF XSS |
Cross-site Scripting (XSS) - Generic |
whoami991 |
Low |
2020-09-14 |
| Staff member with no permission can delete POS staff from account settings |
Privilege Escalation |
kunal94 |
Low |
2020-09-14 |
| Password protection can be removed for newly created development store |
None supplied |
francisbeaudoin |
No rating |
2020-09-14 |
| Admin web sessions remain active after logout of Shopify ID |
Insufficient Session Expiration |
jaka_tingkir |
No rating |
2020-09-14 |
| Cache poisoning via X-Forwarded-Host in www.shopify.com/partners/blog |
Improper Neutralization of HTTP Headers for Scripting Syntax |
dakitu |
Low |
2020-09-11 |
| damage to the timeline so that comment fields cannot be displayed or not available to all members in the store |
None supplied |
jaka_tingkir |
No rating |
2020-09-09 |
| Takeover an account that doesn't have a Shopify ID and more |
None supplied |
francisbeaudoin |
Critical |
2020-09-02 |
| Takeover an account that doesn't have a Shopify ID and more |
None supplied |
francisbeaudoin |
Critical |
2020-09-02 |
| XSS Stored via Upload avatar PNG [HTML] File in accounts.shopify.com |
Violation of Secure Design Principles |
zerox4 |
Low |
2020-08-30 |
| Ability to publish a paid theme without purchasing it. |
Improper Access Control - Generic |
saltymermaid |
Low |
2020-08-27 |
| Ability to publish a paid theme without purchasing it. |
Improper Access Control - Generic |
saltymermaid |
Low |
2020-08-27 |
| Path Traversal in App Proxy |
Path Traversal |
ngalog |
Medium |
2020-08-25 |
| Self XSS in Timeline |
Cross-site Scripting (XSS) - Generic |
ryat |
No rating |
2020-08-25 |
| Script Editor preview token still working with uninstalled application, even for unpublished script |
None supplied |
francisbeaudoin |
No rating |
2020-08-25 |
| Ability to see password protected content by bypassing the password page of shopify preview URL for new development stores (as of August 17, 2020) |
Information Disclosure |
saltymermaid |
Medium |
2020-08-25 |
| xss stored in https://your store.myshopify.com/admin/ |
Cross-site Scripting (XSS) - Stored |
zwail |
Low |
2020-08-24 |
| STAFF "No-Permissions" on the Store can retrieve the details Order via exchangeReceiptSend |
Information Disclosure |
langduvnsec |
Medium |
2020-08-24 |
| Subdomain takeover in help.tictail.com pointing to Zendesk (a Shopify acquisition) |
Privilege Escalation |
meow-hacker-meow |
Medium |
2020-08-24 |
| Stocky App Administrator can create a backdoor admin account by using an existing POS User |
None supplied |
francisbeaudoin |
No rating |
2020-08-24 |
| increased privileges on staff account |
None supplied |
jaka_tingkir |
Medium |
2020-08-24 |
| *.shopify.com - Authentication bypass |
None supplied |
nooblife |
No rating |
2020-08-24 |
| Password reset link not expired at Stocky App |
Improper Access Control - Generic |
ayyoub |
No rating |
2020-08-19 |
| Some store settings/data are accessible to "No Access" permission users on GraphQL LiveView operation |
Information Disclosure |
tolo7010 |
No rating |
2020-08-19 |
| Ability to generate shipping labels in another store orders |
Insecure Direct Object Reference (IDOR) |
francisbeaudoin |
No rating |
2020-08-19 |
| Blind Stored XSS Via Staff Name |
Cross-site Scripting (XSS) - Stored |
rioncool22 |
High |
2020-08-18 |
| OrderListInitial leaks order details |
Information Disclosure |
sreeju_kc |
Medium |
2020-08-18 |
| access permission is not revoked even if the email has been deleted or changed on the partner account -partners.shopify- |
None supplied |
jaka_tingkir |
Medium |
2020-08-18 |
| Get analytics token using only apps permission |
Information Disclosure |
jmp_35p |
Medium |
2020-08-18 |
| Stored XSS in my staff name fired in another your internal panel |
Cross-site Scripting (XSS) - Stored |
cyber__sec |
High |
2020-07-30 |
| Stored XSS in my staff name fired in another your internal panel |
Cross-site Scripting (XSS) - Stored |
cyber__sec |
High |
2020-07-29 |
| GraphQL AdminGenerateSessionPayload is leaked to staff with no permission |
None supplied |
hiffley |
High |
2020-07-16 |
| Account takeover intercepting magic link for Arrive app |
Insufficiently Protected Credentials |
nsl182 |
Low |
2020-07-15 |
| Ability to link a Google account to another staff account/store owner that isn't linked yet |
None supplied |
francisbeaudoin |
No rating |
2020-07-15 |
| user with no draft order permission can still perform action on draft order's in stocky app (idor) |
Improper Authentication - Generic |
imranhudaa |
No rating |
2020-07-15 |
| IDOR on stocky application-Low Stock-Varient-Settings-Columns |
Insecure Direct Object Reference (IDOR) |
sreeju_kc |
Medium |
2020-07-14 |
| Subdomain Takeover of multiple *.ttcdn.co domains |
Violation of Secure Design Principles |
priyanshuxo |
Low |
2020-07-14 |
| Open Redirect - www.shopify.com |
Open Redirect |
zonduu |
Low |
2020-07-14 |
| User with removed manage shops permissions is still able to make changes to a shop |
Improper Access Control - Generic |
flashdisk |
Medium |
2020-06-12 |
| Stored XSS on demo app link |
Cross-site Scripting (XSS) - Stored |
flashdisk |
Medium |
2020-06-12 |
| Session works after logout from Shopify account and password of online store is displayed |
None supplied |
danerh |
Low |
2020-04-27 |
| None permission staff member can identify installed application and products attached to it |
Information Disclosure |
sreeju_kc |
Low |
2020-04-21 |
| CSRF on connecting Paypal as Payment Provider |
Cross-Site Request Forgery (CSRF) |
ngalog |
Medium |
2020-04-10 |
| Stored XSS through Facebook Page Connection |
Cross-site Scripting (XSS) - Stored |
boredengineer21 |
Low |
2020-04-04 |
| xss stored |
Cross-site Scripting (XSS) - Stored |
davscol94 |
No rating |
2020-04-03 |
| Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation to Any Shop Owner by Taking Advantage of the Shopify SSO |
None supplied |
ngalog |
Critical |
2020-04-01 |
| [Part II] Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation |
None supplied |
ngalog |
Critical |
2020-04-01 |
| [Part II] Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation |
None supplied |
ngalog |
Critical |
2020-04-01 |
| Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation to Any Shop Owner by Taking Advantage of the Shopify SSO |
None supplied |
ngalog |
Critical |
2020-04-01 |
| Able to Takeover Merchants Accounts Even They Have Already Setup SSO, After Bypassing the Email Confirmation |
None supplied |
ngalog |
Medium |
2020-04-01 |
| Session works after logout from Shopify account |
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
cryptographer |
Low |
2020-03-30 |
| H1514 CSRF in Domain transfer allows adding your domain to other user's account |
Cross-Site Request Forgery (CSRF) |
rijalrojan |
High |
2020-03-30 |
| Timeline Editor Self-XSS (Previous Fix #738072 Incomplete) |
Cross-site Scripting (XSS) - Reflected |
mosuan |
Low |
2020-03-16 |
| H1514 Deanonymizing Exchange Marketplace private listings |
Information Disclosure |
fisher |
Medium |
2020-03-10 |
| H1514 Remote Code Execution on kitcrm using bulk customer update of Priority Products |
Command Injection - Generic |
fransrosen |
Medium |
2020-02-06 |
| H1514 Remote Code Execution on kitcrm using bulk customer update of Priority Products |
Command Injection - Generic |
fransrosen |
Medium |
2020-02-06 |
| H1514 Remote Code Execution on kitcrm using bulk customer update of Priority Products |
Command Injection - Generic |
fransrosen |
Medium |
2020-02-06 |
| Disclose Any Store products, Files, Purchase Orders Via Email through Shopify Stocky APP |
Privilege Escalation |
hackrzvijay |
No rating |
2020-02-02 |
| Stored XSS in Shopify Chat |
Cross-site Scripting (XSS) - Stored |
mosuan |
Low |
2019-12-23 |
| Shopify Stocky App OAuth Misconfiguration |
Privilege Escalation |
vulnh0lic |
Medium |
2019-12-11 |
| Shopify Stocky App OAuth Misconfiguration |
Privilege Escalation |
vulnh0lic |
Medium |
2019-12-11 |
| Stored XSS in private message |
Cross-site Scripting (XSS) - Stored |
mosuan |
Medium |
2019-11-08 |
| Ability to verify any email address you don't own - accounts.shopify.com |
Violation of Secure Design Principles |
zombiehelp54 |
No rating |
2019-11-08 |
| H1514 Ability to MiTM Shopify PoS Session to Takeover Communications |
Business Logic Errors |
teknogeek |
Medium |
2019-11-04 |
| H1514 DOM XSS on checkout.shopify.com via postMessage handler on /:id/sandbox/google_maps |
Cross-site Scripting (XSS) - DOM |
bored-engineer |
Medium |
2019-11-04 |
| Reflective Cross-site Scripting via Newsletter Form |
Cross-site Scripting (XSS) - Reflected |
dostoevskylabs |
High |
2019-10-11 |
| Unauthenticated read and write access to ALL endpoints of a store is possible for removed staff members who had "Apps" permission |
Client-Side Enforcement of Server-Side Security |
mariogh |
Medium |
2019-10-10 |
| ██████ DOM XSS via Shopify.API.remoteRedirect |
Cross-site Scripting (XSS) - DOM |
yxw21 |
Low |
2019-09-15 |
| XSS while logging using Google |
Cross-site Scripting (XSS) - Reflected |
ashketchum |
No rating |
2019-09-11 |
| Bypass of biometrics security functionality is possible in Android application (com.shopify.mobile) |
Improper Authentication - Generic |
tems |
Low |
2019-08-14 |
| STAFF member with NO Explicit permissions can view `ActivityFeed` via GraphQL |
Improper Access Control - Generic |
h13- |
Low |
2019-06-18 |
| H1514 Removed Staff members who had "Apps" permission can still modify flow app connections |
Improper Authorization |
zombiehelp54 |
Medium |
2019-06-14 |
| XSS on services.shopify.com |
Cross-site Scripting (XSS) - Stored |
encryptsaan123 |
Low |
2019-06-14 |
| Unpublished Product Images can be disclosed |
Improper Access Control - Generic |
h13- |
Low |
2019-06-12 |
| H1514 Bypass Wholesale account signup restrictions |
Improper Access Control - Generic |
cablej |
Medium |
2019-06-07 |
| H1514 [*.(my)shopify.com] - Viewing Password Protected Content |
Improper Authentication - Generic |
corb3nik |
High |
2019-05-22 |
| H1514 Session Fixation on multiple shopify-built apps on *.shopifycloud.com and *.shopifyapps.com |
Session Fixation |
filedescriptor |
No rating |
2019-04-25 |
| H1514 DOMXSS on Embedded SDK via Shopify.API.setWindowLocation abusing cookie Stuffing |
Cross-site Scripting (XSS) - DOM |
filedescriptor |
High |
2019-04-17 |
| H1514 Server Side Template Injection in Return Magic email templates? |
Code Injection |
zombiehelp54 |
No rating |
2019-04-04 |
| Reflected XSS on $Any$.myshopify.com/admin |
Cross-site Scripting (XSS) - Reflected |
dr_dragon |
High |
2018-11-13 |
| PII disclosure -- Past team members & their email ID(personal email) can be viewed by Staff member with no permissions on Partner Dashboard |
Information Disclosure |
h13- |
Low |
2018-11-08 |
| Disclosure of Github Issues |
Information Disclosure |
rijalrojan |
Medium |
2018-11-08 |
| Stored xss |
Cross-site Scripting (XSS) - Stored |
dr_dragon |
High |
2018-11-07 |
| App messaging can be hijacked by third-party websites |
Violation of Secure Design Principles |
palant |
Medium |
2018-11-07 |
| Admin bar: Incomplete message origin validation results in XSS |
Cross-site Scripting (XSS) - DOM |
palant |
Medium |
2018-11-07 |
| [ux.shopify.com] Subdomain takeover |
Improper Access Control - Generic |
bobrov |
Medium |
2018-10-19 |
| Race condition at create new Location |
Business Logic Errors |
zhurig |
Low |
2018-10-05 |
| subdomain Takeover at blog.exchangemarketplace.com |
None supplied |
m7mdharoun |
Low |
2018-10-01 |
| Stored XSS on buy button |
Cross-site Scripting (XSS) - Stored |
tony_tsep |
Low |
2018-09-29 |
| Open redirection in OAuth |
Open Redirect |
dr_dragon |
Low |
2018-09-24 |
| Unauthenticated access to Zendesk tickets through athena-flex-production.shopifycloud.com Okta bypass |
Improper Authentication - Generic |
rijalrojan |
Critical |
2018-09-19 |
| From full-access account to Account Owner |
Privilege Escalation |
rms |
No rating |
2018-09-18 |
| Stored XSS on activity |
Cross-site Scripting (XSS) - Stored |
shazad_sadiq |
High |
2018-08-14 |
| Preview bar: Incomplete message origin validation results in XSS |
Cross-site Scripting (XSS) - DOM |
palant |
Medium |
2018-07-26 |
| Potential SSRF and disclosure of sensitive site on *shopifycloud.com |
Server-Side Request Forgery (SSRF) |
rijalrojan |
Low |
2018-07-19 |
| [out-of-scope] toxiproxy: Lack of CSRF protection allows an attacker to gain access to internal Shopify network |
Server-Side Request Forgery (SSRF) |
bored-engineer |
Medium |
2018-07-11 |
| Subdomain Takeover - https://competition.shopify.com/ |
Privilege Escalation |
llt4l |
Medium |
2018-06-19 |
| Improper access check by Kit leads to controlling attributes of store & getting analytics by deleted Store member via dual messenger A/C |
Improper Access Control - Generic |
tbh |
Low |
2018-06-15 |
| Publicly Accessible Datadog link |
Information Disclosure |
rijalrojan |
Medium |
2018-06-15 |
| SSRF in Exchange leads to ROOT access in all instances |
Server-Side Request Forgery (SSRF) |
0xacb |
Medium |
2018-05-23 |
| ability to install paid themes for free |
Improper Access Control - Generic |
flashdisk |
Medium |
2018-05-16 |
| Potential to abuse pricing errors in saved carts |
Business Logic Errors |
richardf |
Medium |
2018-05-02 |
| Replace other user files in Inbox messages |
Insecure Direct Object Reference (IDOR) |
rijalrojan |
Medium |
2018-05-01 |
| Stored XSS in partners dashboard |
Cross-site Scripting (XSS) - Stored |
bastianwelfrid |
Low |
2018-04-18 |
| Order notifications being sent for a deactivated staff account |
Improper Authorization |
newbie_101 |
Low |
2018-04-12 |
| XSS *.myshopify.com/collections/vendors?q= |
Cross-site Scripting (XSS) - Reflected |
gromoza |
Medium |
2018-04-08 |
| XSS on "widgets.shopifyapps.com" via "stripping" attribute and "shop" parameter |
Cross-site Scripting (XSS) - DOM |
bored-engineer |
None |
2018-04-03 |
| Access to Private Photos of Apps in App section(IDOR) |
Insecure Direct Object Reference (IDOR) |
vijay_kumar1110 |
Medium |
2018-03-05 |
| myshopify.com domain takeover |
Business Logic Errors |
0xacb |
Medium |
2018-02-27 |
| Ability to bypass partner email confirmation to take over any store given an employee email |
Time-of-check Time-of-use (TOCTOU) Race Condition |
cache-money |
Critical |
2018-02-07 |
| Cross-site scripting in "Contact customer" form |
Cross-site Scripting (XSS) - Stored |
protector47 |
Low |
2017-12-19 |
| Self-XSS in password reset functionality |
Cross-site Scripting (XSS) - Reflected |
itszeeshan |
Low |
2017-11-10 |
| stored xss in invited team member via email parameter |
Cross-site Scripting (XSS) - Stored |
coldd |
Medium |
2017-11-03 |
| Shopify admin authentication bypass using partners.shopify.com |
Improper Authorization |
uzsunny9 |
Critical |
2017-09-28 |
| Shopify admin authentication bypass using partners.shopify.com |
Improper Authorization |
uzsunny |
Critical |
2017-09-28 |
| Tinymce 2.4.0 |
Cross-site Scripting (XSS) - DOM |
jelmer |
Medium |
2017-09-26 |
| SVG Server Side Request Forgery (SSRF) |
Server-Side Request Forgery (SSRF) |
floyd |
Low |
2017-09-22 |
| Stored XSS Deleting Menu Links in the Shopify Admin |
Cross-site Scripting (XSS) - Stored |
geeklegend |
Medium |
2017-09-08 |
| Setting Arbitrary Cookie at kitcrm.com |
None supplied |
dhaval |
None |
2017-08-23 |
| XSS in my.shopify.com in widget |
Cross-site Scripting (XSS) - Generic |
xssa |
Medium |
2017-07-21 |
| Open Redirect in shopify app URL |
Open Redirect |
pappan |
Low |
2017-07-21 |
| IDOR [partners.shopify.com] - User with ONLY Manage apps permission is able to get shops info and staff names from inside the shop |
Insecure Direct Object Reference (IDOR) |
inhibitor181 |
Medium |
2017-07-19 |
| SQL Exception thrown during product import |
Information Exposure Through an Error Message |
pappan |
Medium |
2017-07-12 |
| XSS on $shop$.myshopify.com/admin/ and partners.shopify.com via whitelist bypass in SVG icon for sales channel applications |
Cross-site Scripting (XSS) - Stored |
bored-engineer |
High |
2017-06-28 |
| API Webhooks Fire And Are Unlisted After Permissions Removed |
Improper Access Control - Generic |
yaworsk |
Low |
2017-06-27 |
| Redirect in adding advance cash on delivery app |
Open Redirect |
ashish_r_padelkar |
Low |
2017-06-27 |
| Stored XSS in *.myshopify.com |
Cross-site Scripting (XSS) - Stored |
jamesclyde |
Medium |
2017-06-27 |
| ShopifyAPI is vulnerable to timing attacks. |
Cryptographic Issues - Generic |
edoverflow |
Low |
2017-06-23 |
| Shopify GitHub Login and Password exposed all private source code might be available. |
Information Disclosure |
todayisnew |
No rating |
2017-06-08 |
| XSS in $shop$.myshopify.com/admin/ via twine template injection in "Shopify.API.Modal.input" method when using a malicious app |
Cross-site Scripting (XSS) - Generic |
bored-engineer |
High |
2017-06-01 |
| XSS on any Shopify shop via abuse of the HTML5 structured clone algorithm in postMessage listener on "/:id/digital_wallets/dialog" |
Cross-site Scripting (XSS) - DOM |
bored-engineer |
No rating |
2017-05-30 |
| Reflected XSS in <any>.myshopify.com through theme preview |
Cross-site Scripting (XSS) - Reflected |
zombiehelp54 |
No rating |
2017-05-29 |
| XSS in $shop$.myshopify.com/admin/ via "Button Objects" in malicious app |
Cross-site Scripting (XSS) - Generic |
bored-engineer |
High |
2017-05-22 |
| CSRF in all API endpoints when authenticated using HTTP Authentication |
Cross-Site Request Forgery (CSRF) |
zombiehelp54 |
No rating |
2017-03-28 |
| Stored XSS in [shop].myshopify.com/admin/orders/[id] |
Cross-site Scripting (XSS) - Generic |
zombiehelp54 |
No rating |
2017-03-28 |
| Stored passive XSS at scheduled posts (kitcrm.com) |
Cross-site Scripting (XSS) - Reflected |
skavans |
Medium |
2017-03-28 |
| Full access at an internal service of Shopify |
Information Disclosure |
jamesclyde |
No rating |
2017-03-28 |
| Stored XSS in blog comments through Shopify API |
Cross-site Scripting (XSS) - Generic |
prakharprasad |
Medium |
2017-03-16 |
| Stealing users' facebook access tokens - kitcrm.com |
Information Disclosure |
zombiehelp54 |
No rating |
2017-03-15 |
| Subdomain takeover on s3.shopify.com |
Cross-site Scripting (XSS) - Generic |
avlidienbrunn |
No rating |
2017-02-28 |
| apps.shopify.com - CSRF token leakage through Google Analytics |
Cross-Site Request Forgery (CSRF) |
zombiehelp54 |
No rating |
2017-02-07 |
| Authentication Bypass on monitoring server |
Improper Authentication - Generic |
jamesclyde |
Low |
2017-01-11 |
| XSS on postal codes |
Cross-site Scripting (XSS) - Generic |
pappan |
Medium |
2017-01-11 |
| XSS on manually entering Postal codes |
Cross-site Scripting (XSS) - Generic |
prem1807 |
Medium |
2016-12-17 |
| Misconfiguration in Two Factor Authorisation |
None supplied |
dhaval |
No rating |
2016-12-17 |
| Unauthenticated Stored XSS on <any>.myshopify.com via checkout page |
Cross-site Scripting (XSS) - Generic |
zombiehelp54 |
No rating |
2016-12-16 |
| Stored XSS at 'Buy Button' page |
Cross-site Scripting (XSS) - Generic |
zuh4n |
No rating |
2016-12-16 |
| [ecommerce.shopify.com] Invalidated redirection |
Open Redirect |
shailesh4594 |
Low |
2016-12-04 |
| Open redirect in bulk edit |
Open Redirect |
zombiehelp54 |
No rating |
2016-12-04 |
| Able to Login deactivated staff account in shopify app mobile |
Privilege Escalation |
clarckowen_ |
No rating |
2016-11-29 |
| (BYPASS) Open redirect and XSS in supporthiring.shopify.com |
Cross-Site Request Forgery (CSRF) |
jamesclyde |
No rating |
2016-11-21 |
| race condition in adding team members |
Violation of Secure Design Principles |
flashdisk |
Low |
2016-11-10 |
| password less login token expiration issue |
Improper Authentication - Generic |
satishb3 |
No rating |
2016-10-19 |
| Add signature to transactions without any permission |
Improper Authentication - Generic |
supernatural |
No rating |
2016-10-07 |
| Deleted Post and Administrative Function Access in eCommerce Forum |
Privilege Escalation |
ysx |
No rating |
2016-10-05 |
| Payment gateway status transferred to Shopify without authentication |
Cross-Site Request Forgery (CSRF) |
ishwar_prasad_bhat |
No rating |
2016-09-27 |
| [apps.shopify.com] Open Redirect |
Open Redirect |
bobrov |
No rating |
2016-09-26 |
| Open redirect allows changing iframe content in *.myshopify.com/admin/themes/<id>/editor |
Open Redirect |
zombiehelp54 |
No rating |
2016-09-22 |
| XSS in SHOPIFY: Unsanitized Supplier Name can lead to XSS in Transfers Timeline |
Cross-site Scripting (XSS) - Generic |
nismo |
No rating |
2016-09-19 |
| Unsanitized Location Name in POS Channel can lead to XSS in Orders Timeline |
Cross-site Scripting (XSS) - Generic |
nismo |
No rating |
2016-09-19 |
| Access to Splunk via shard3-db2.ec2.shopify.com endpoint |
Improper Authentication - Generic |
ysx |
No rating |
2016-09-19 |
| Subdomain Takeover in http://genghis-cdn.shopify.io/ pointing to Fastly |
None supplied |
sacurifity |
No rating |
2016-09-06 |
| Open redirect using checkout_url |
Open Redirect |
zombiehelp54 |
No rating |
2016-09-01 |
| Open CouchDB on experiments.ec2.shopify.com:5984 |
None supplied |
fransrosen |
No rating |
2016-09-01 |
| Access to Splunk at https://apt.ec2.shopify.com:8089 |
None supplied |
lewerkun |
No rating |
2016-09-01 |
| (BYPASS) Open Redirect after login at http://ecommerce.shopify.com |
Open Redirect |
jamesclyde |
No rating |
2016-09-01 |
| (FULL PATH DISCLOSURE) Unknown MySQL server host 'shardm-reader.chi2.shopify.io' |
Improper Authentication - Generic |
jamesclyde |
No rating |
2016-09-01 |
| View all deleted comments and rating of any app . |
Information Disclosure |
vijay_kumar |
No rating |
2016-09-01 |
| Open Redirect possible in https://www.shopify.com/admin/ |
Open Redirect |
jamesclyde |
No rating |
2016-08-31 |
| Unauthorized access to Zookeeper on http://locutus-zk3.ec2.shopify.com:2181 |
Improper Authentication - Generic |
mico02 |
No rating |
2016-08-09 |
| Delete/modify your own comment after limited access(IDOR) |
Privilege Escalation |
vijay_kumar1110 |
No rating |
2016-08-09 |
| Staff member can delete Private Apps |
Privilege Escalation |
vijay_kumar1110 |
No rating |
2016-08-09 |
| Redirect url after login is not validated |
Open Redirect |
capripio |
No rating |
2016-07-28 |
| XSS in Draft Orders in Timeline i SHOPIFY Admin Site! |
Cross-site Scripting (XSS) - Generic |
nismo |
No rating |
2016-07-28 |
| [CSRF] Install premium themes |
Cross-Site Request Forgery (CSRF) |
zombiehelp54 |
No rating |
2016-07-27 |
| Stealing livechat token and using it to chat as the user - user information disclosure |
Improper Authentication - Generic |
zombiehelp54 |
No rating |
2016-07-19 |
| https://windsor.shopify.com/ takeover |
Open Redirect |
zseano |
No rating |
2016-07-19 |
| Potentially Sensitive Information on GitHub |
Information Disclosure |
wkcaj |
No rating |
2016-07-17 |
| Authentication Bypass on Icinga monitoring server |
Improper Authentication - Generic |
wkcaj |
No rating |
2016-07-17 |
| Staff members with no permission can access to the files, uploaded by the administrator |
Privilege Escalation |
hexrby |
No rating |
2016-07-07 |
| Fetching external resources through svg images |
Information Disclosure |
detroitsmash |
No rating |
2016-06-21 |
| SVG parser loads external resources on image upload |
Cross-Site Request Forgery (CSRF) |
ogig |
No rating |
2016-06-02 |
| staff memeber can install apps even if have limitied access |
Privilege Escalation |
abdellahyal |
No rating |
2016-05-05 |
| Privilege Escalation - A `MEMBER` with no ACCESS to `ORDERS` can still access the orders by using `Order Printer APP` |
Privilege Escalation |
coolboss |
No rating |
2016-04-20 |
| Bypassed password authentication before enabling OTP verification |
Improper Authentication - Generic |
jbbbkj |
No rating |
2016-04-15 |
| XSS on hardware.shopify.com |
Cross-site Scripting (XSS) - Generic |
virtualhunter |
No rating |
2016-04-09 |
| Stored XSS via "Free Shipping" option (Discounts) |
Cross-site Scripting (XSS) - Generic |
ancst |
No rating |
2016-04-05 |
| XSS on https://app.shopify.com/ |
Cross-site Scripting (XSS) - Generic |
secalert |
No rating |
2016-04-05 |
| xss in the all widgets of shopifyapps.com |
Cross-site Scripting (XSS) - Generic |
sergeym |
No rating |
2016-03-16 |
| Stored XSS in https://checkout.shopify.com/ |
Cross-site Scripting (XSS) - Generic |
niyaax |
No rating |
2016-03-15 |
| Strored Cross Site Scripting |
Cross-site Scripting (XSS) - Generic |
hussein98d |
No rating |
2016-03-13 |
| Injection via CSV Export feature in Admin Orders |
None supplied |
wakadotz |
No rating |
2016-03-12 |
| XSS on hardware.shopify.com |
Cross-site Scripting (XSS) - Generic |
mdv |
No rating |
2016-03-01 |
| File name and folder enumeration. |
Information Disclosure |
derision |
No rating |
2016-03-01 |
| create staff member without owner access |
Improper Authentication - Generic |
supernatural |
No rating |
2016-02-29 |
| S3 Buckets open to the world thanks to 'Authenticated Users' ACL |
Improper Authentication - Generic |
brakhane |
No rating |
2016-02-23 |
| CSRF on https://shopify.com/plus |
Information Disclosure |
mdv |
No rating |
2016-02-17 |
| Stored XSS in /admin/orders |
Cross-site Scripting (XSS) - Generic |
zombiehelp54 |
No rating |
2016-02-17 |
| many xss in widgets.shopifyapps.com |
Cross-site Scripting (XSS) - Generic |
sergeym |
No rating |
2016-02-04 |
| CSRF in Connecting Pinterest Account |
Cross-Site Request Forgery (CSRF) |
mercurii |
No rating |
2016-02-02 |
| Full access to Amazon S3 bucket containing AWS CloudTrail logs |
Information Disclosure |
koenrh |
No rating |
2016-02-01 |
| Twitter Disconnect CSRF |
Cross-Site Request Forgery (CSRF) |
akhil-reni |
No rating |
2016-02-01 |
| Attach Pinterest account - no State/CSRF parameter in Oauth Call back |
Cross-Site Request Forgery (CSRF) |
akhil-reni |
No rating |
2016-02-01 |
| www.shopify.com XSS via third-party script |
Cross-site Scripting (XSS) - Generic |
reactors08 |
No rating |
2016-02-01 |
| [livechat.shopify.com] Cookie bomb at customer chats |
None supplied |
s_p_q_r |
No rating |
2016-01-19 |
| HTTP-Response-Splitting on v.shopify.com |
None supplied |
krankopwnz |
No rating |
2016-01-17 |
| "Remember me" token generated when "Remember me" box unchecked |
Improper Authentication - Generic |
dhaval |
No rating |
2016-01-13 |
| Reflected XSS in cart at hardware.shopify.com |
Cross-site Scripting (XSS) - Generic |
juhhga |
No rating |
2015-12-22 |
| Reflective XSS on wholesale.shopify.com |
Cross-site Scripting (XSS) - Generic |
krankopwnz |
No rating |
2015-12-22 |
| Open Redirect at *.myshopify.com/account/login?checkout_url= |
Open Redirect |
batman |
No rating |
2015-12-16 |
| Open redirect using theme install |
Open Redirect |
blinkms |
No rating |
2015-12-14 |
| shopifyapps.com XSS on sales channels via currency formatting |
Cross-site Scripting (XSS) - Generic |
reactors08 |
No rating |
2015-12-14 |
| An administrator without any permission is able to get order notifications using his APNS Token. |
Improper Authentication - Generic |
rms |
No rating |
2015-12-14 |
| Missing of csrf protection |
Cross-Site Request Forgery (CSRF) |
harishkumar0394 |
No rating |
2015-12-07 |
| XSS in creating tweets |
Cross-site Scripting (XSS) - Generic |
haxs101 |
No rating |
2015-12-03 |
| Non-owner user can remove online store channel and re-add it. |
Improper Authentication - Generic |
zombiehelp54 |
No rating |
2015-12-03 |
| [CSRF] Activate PayPal Express Checkout |
Cross-Site Request Forgery (CSRF) |
zombiehelp54 |
No rating |
2015-12-03 |
| Cookie securing your "Opening soon" store is not secured against XSS |
Violation of Secure Design Principles |
jurajk |
No rating |
2015-12-01 |
| CSV Excel Macro Injection Vulnerability in export list of current users - app.shopify.com |
Command Injection - Generic |
zombiehelp54 |
No rating |
2015-12-01 |
| Apps can access 'channels' beta api |
Privilege Escalation |
rms |
No rating |
2015-11-18 |
| An administrator without the 'Settings' permission is able to see payment gateways |
Improper Authentication - Generic |
brakhane |
No rating |
2015-11-18 |
| deleted staff member can add his amazon marketplace web services account to the store. |
Improper Authentication - Generic |
zombiehelp54 |
No rating |
2015-11-18 |
| Privilege escalation and circumvention of permission to limited access user |
Improper Authentication - Generic |
ayid |
No rating |
2015-11-11 |
| 'Limited' RCE in certain places where Liquid is accepted |
Code Injection |
brakhane |
No rating |
2015-11-11 |
| A 'Full access' administrator is able to see the shop owners user details |
Privilege Escalation |
brakhane |
No rating |
2015-11-11 |
| List of devices is accessible regardless of the account limitations |
Information Disclosure |
rms |
No rating |
2015-11-10 |
| Accessing Payments page and adding payment methods with limited access accounts |
Privilege Escalation |
shahmeer-amir |
No rating |
2015-11-10 |
| Missing authorization check on dashboard overviews |
Privilege Escalation |
shahmeer-amir |
No rating |
2015-11-10 |
| First & Last Name Disclosure of any Shopify Store Admin |
Privilege Escalation |
hazimaslam |
No rating |
2015-11-09 |
| Unauthorized access to any Store Admin's First & Last name |
Improper Authentication - Generic |
hazimaslam |
No rating |
2015-11-07 |
| get users information without full access |
Privilege Escalation |
supernatural |
No rating |
2015-11-04 |
| Bypassing password requirement during deletion of accout |
Improper Authentication - Generic |
lostboy |
No rating |
2015-11-03 |
| Domain takoever - https://sellocdn.com |
Improper Authentication - Generic |
uname |
No rating |
2015-11-03 |
| Staff members with no permission to access domains can access them. |
Improper Authentication - Generic |
zombiehelp54 |
No rating |
2015-11-03 |
| Some S3 Buckets are world readable (and one is world writeable) |
Improper Authentication - Generic |
brakhane |
No rating |
2015-10-24 |
| Unauthenticated access to details of hidden products in any shop via title emuneration |
Improper Authentication - Generic |
juhhga |
No rating |
2015-10-23 |
| Paid account can review\download any invoice of any other shop |
Improper Authentication - Generic |
dvl |
No rating |
2015-10-22 |
| www.shopify.com XSS on blog pages via sharing buttons |
Cross-site Scripting (XSS) - Generic |
reactors08 |
No rating |
2015-10-21 |
| Arbitrary read on s3://shopify-delivery-app-storage/files |
Improper Authentication - Generic |
brakhane |
No rating |
2015-10-20 |
| Unauthorized access to all collections, products, pages from other stores |
Improper Authentication - Generic |
supernatural |
No rating |
2015-10-20 |
| Arbitrary write on s3://shopify-delivery-app-storage/files |
Improper Authentication - Generic |
brakhane |
No rating |
2015-10-15 |
| amazon aws s3 bucket content is public :- http://shopify.com.s3.amazonaws.com/ |
Memory Corruption - Generic |
pulkit_pandey |
No rating |
2015-10-15 |
| Privilege escalation vulnerability |
Denial of Service |
marhvhelous |
No rating |
2015-10-14 |
| change Login Services settings without owner access |
Improper Authentication - Generic |
supernatural |
No rating |
2015-10-14 |
| unauthorized access to all collections name |
Privilege Escalation |
supernatural |
No rating |
2015-10-14 |
| The POS Firmware is leaking the root Password which can be used for unauthorized access to the device. |
None supplied |
patrik |
No rating |
2015-10-09 |
| unauthorized access to all customers first and last name |
Improper Authentication - Generic |
supernatural |
No rating |
2015-10-06 |
| customers password hash leak!!!! |
Improper Authentication - Generic |
supernatural |
No rating |
2015-10-05 |
| Open Redirect after login at http://ecommerce.shopify.com |
Open Redirect |
dhaval |
No rating |
2015-10-05 |
| Shop admin can change external login services |
Privilege Escalation |
satishb3 |
No rating |
2015-10-02 |
| Passwords Returned in Later Responses. |
Violation of Secure Design Principles |
w00tr00t |
No rating |
2015-09-30 |
| Prevent Shop Admin From Seeing his Installed Apps / Install Persistent Unremovable App |
Denial of Service |
prakharprasad |
No rating |
2015-09-29 |
| Notification request disclose private information about other myshopify accounts |
Improper Authentication - Generic |
dvl |
No rating |
2015-09-24 |
| Bypass access restrictions from API |
Improper Authentication - Generic |
supernatural |
No rating |
2015-09-18 |
| Invitation issue |
Privilege Escalation |
frozen |
No rating |
2015-09-16 |
| Body injection in mailto link while commenting shop blog |
None supplied |
skavans |
No rating |
2015-09-10 |
| XSS on ecommerce.shopify.com |
Cross-site Scripting (XSS) - Generic |
r0x33d |
No rating |
2015-09-06 |
| Reflected XSS in chat. |
Cross-site Scripting (XSS) - Generic |
dz_samir |
No rating |
2015-09-02 |
| XSS https://www.shopify.com/signup |
Cross-site Scripting (XSS) - Generic |
mdv |
No rating |
2015-09-01 |
| XSS https://delivery.shopifyapps.com/ (Digital Downloads App in myshopify.com) |
Cross-site Scripting (XSS) - Generic |
dz_samir |
No rating |
2015-08-25 |
| SSRF via 'Insert Image' feature of Products/Collections/Frontpage |
Violation of Secure Design Principles |
alpha |
No rating |
2015-08-24 |
| Reflected XSS in chat |
Cross-site Scripting (XSS) - Generic |
skavans |
No rating |
2015-08-11 |
| TCP Source Port Pass Firewall |
Improper Authentication - Generic |
salmankhanchampion |
No rating |
2015-08-11 |
| Bulk Discount App in myshopify.com exposes http://bulkdiscounts.shopifyapps.com vulnerable to XSS |
Cross-site Scripting (XSS) - Generic |
nismo |
No rating |
2015-07-23 |
| XSS in Myshopify Admin Site in DISCOUNTS |
Cross-site Scripting (XSS) - Generic |
nismo |
No rating |
2015-07-20 |
| Attention! Remote Code Execution at http://wpt.ec2.shopify.com/ |
Command Injection - Generic |
prakharprasad |
No rating |
2015-07-16 |
| Expire User Sessions in Admin Site does not expire user session in Shopify Application in IOS |
Improper Authentication - Generic |
nismo |
No rating |
2015-07-15 |
| SSRF via 'Add Image from URL' feature |
Violation of Secure Design Principles |
alpha |
No rating |
2015-07-15 |
| SSL cookie without secure flag set |
Violation of Secure Design Principles |
blackpanther_pintoo |
No rating |
2015-07-13 |
| Shopify android client all API request's response leakage, including access_token, cookie, response header, response body content |
Improper Authentication - Generic |
sukhoi |
No rating |
2015-07-04 |
| Open redirection in OAuth |
Open Redirect |
coolboss |
No rating |
2015-07-03 |
| [persistent cross-site scripting] customers can target admins |
Cross-site Scripting (XSS) - Generic |
akhil-reni |
No rating |
2015-07-01 |
| CSRF token fixation in facebook store app that can lead to adding attacker to victim acc |
Violation of Secure Design Principles |
defmax |
No rating |
2015-06-25 |
| XSS at Bulk editing ProductVariants |
Cross-site Scripting (XSS) - Generic |
mafia |
No rating |
2015-06-25 |
| XSS at Bulk editing products |
Cross-site Scripting (XSS) - Generic |
mafia |
No rating |
2015-06-17 |
| XSS at importing Product List |
Cross-site Scripting (XSS) - Generic |
mafia |
No rating |
2015-06-17 |
| Header Misconfiguration - PHP API |
Violation of Secure Design Principles |
paulos_ |
No rating |
2015-06-11 |
| [www.*.myshopify.com] CRLF Injection |
None supplied |
bobrov |
No rating |
2015-06-10 |
| Force 500 Internal Server Error on any shop (for one user) |
Denial of Service |
4lemon |
No rating |
2015-06-10 |
| XSS on support.shopify.com |
Cross-site Scripting (XSS) - Generic |
r0x33d |
No rating |
2015-06-10 |
| XSS in myshopify.com Admin site in TAX Overrides |
Cross-site Scripting (XSS) - Generic |
nismo |
No rating |
2015-06-09 |
| Authentication Failed Mobile version |
Improper Authentication - Generic |
lccunha |
No rating |
2015-06-02 |
| Stored XSS in the Shopify Discussion Forums |
Cross-site Scripting (XSS) - Generic |
sukhjiwansingh |
No rating |
2015-05-31 |
| Multiple issues on Checkout Process |
Violation of Secure Design Principles |
ishikawa |
No rating |
2015-05-21 |
| Lack of SSL Pinning on POS Application ( iOS ) |
Cryptographic Issues - Generic |
ishikawa |
No rating |
2015-05-21 |
| XSS in experts.shopify.com |
Cross-site Scripting (XSS) - Generic |
haxs101 |
No rating |
2015-05-19 |
| XSS - URL Redirects |
Cross-site Scripting (XSS) - Generic |
vlazeg |
No rating |
2015-05-17 |
| Xss in website's link |
Cross-site Scripting (XSS) - Generic |
ragnar |
No rating |
2015-05-13 |
| Content Spoofing |
Violation of Secure Design Principles |
zerohat |
No rating |
2015-05-05 |
| comment out causes information disclosure |
Information Disclosure |
shhnjk |
No rating |
2015-04-19 |
| IDOR expire other user sessions |
Improper Authentication - Generic |
sappi |
No rating |
2015-04-17 |
| Missing spf flags for myshopify.com |
None supplied |
scorppy |
No rating |
2015-04-16 |
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Membership
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles