| Shopify |
$500 |
IDOR [partners.shopify.com] - User with ONLY Manage apps permission is able to get shops info and staff names from inside the shop |
| Shopify |
$500 |
Stored XSS in *.myshopify.com |
| Shopify |
- |
SQL Exception thrown during product import |
| Shopify |
$5,000 |
XSS on $shop$.myshopify.com/admin/ and partners.shopify.com via whitelist bypass in SVG icon for sales channel applications |
| Shopify |
$3,000 |
XSS on any Shopify shop via abuse of the HTML5 structured clone algorithm in postMessage listener on "/:id/digital_wallets/dialog" |
| Shopify |
- |
API Webhooks Fire And Are Unlisted After Permissions Removed |
| Shopify |
$2,000 |
Reflected XSS in <any>.myshopify.com through theme preview |
| Shopify |
- |
Open Redirect in shopify app URL |
| Shopify |
- |
ShopifyAPI is vulnerable to timing attacks. |
| Shopify |
$1,000 |
XSS in $shop$.myshopify.com/admin/ via twine template injection in "Shopify.API.Modal.input" method when using a malicious app |
| Shopify |
$800 |
XSS in $shop$.myshopify.com/admin/ via "Button Objects" in malicious app |
| Shopify |
$500 |
Full access at an internal service of Shopify |
| Shopify |
$500 |
Stored passive XSS at scheduled posts (kitcrm.com) |
| Shopify |
$1,500 |
Stored XSS in [shop].myshopify.com/admin/orders/[id] |
| Shopify |
- |
Setting Arbitrary Cookie at kitcrm.com |
| Shopify |
$500 |
Stealing users' facebook access tokens - kitcrm.com |
| Shopify |
$500 |
Subdomain takeover on s3.shopify.com |
| Shopify |
$500 |
apps.shopify.com - CSRF token leakage through Google Analytics |
| Shopify |
$1,000 |
CSRF in all API endpoints when authenticated using HTTP Authentication |
| Shopify |
$500 |
Authentication Bypass on monitoring server |
| Shopify |
$1,000 |
Stored XSS in blog comments through Shopify API |
| Shopify |
$500 |
XSS on postal codes |
| Shopify |
$500 |
XSS on manually entering Postal codes |
| Shopify |
$500 |
Unauthenticated Stored XSS on <any>.myshopify.com via checkout page |
| Shopify |
- |
Redirect in adding advance cash on delivery app |
| Shopify |
$500 |
Stored XSS at 'Buy Button' page |
| Shopify |
$500 |
XSS in my.shopify.com in widget |
| Shopify |
$1,500 |
Misconfiguration in Two Factor Authorisation |
| Shopify |
$500 |
race condition in adding team members |
| Shopify |
$2,000 |
Able to Login deactivated staff account in shopify app mobile |
| Shopify |
$500 |
[ecommerce.shopify.com] Invalidated redirection |
| Shopify |
$500 |
password less login token expiration issue |
| Shopify |
$500 |
Add signature to transactions without any permission |
| Shopify |
$500 |
Open redirect in bulk edit |
| Shopify |
$500 |
Deleted Post and Administrative Function Access in eCommerce Forum |
| Shopify |
$500 |
XSS in SHOPIFY: Unsanitized Supplier Name can lead to XSS in Transfers Timeline |
| Shopify |
$500 |
Unsanitized Location Name in POS Channel can lead to XSS in Orders Timeline |
| Shopify |
- |
Subdomain Takeover in http://genghis-cdn.shopify.io/ pointing to Fastly |
| Shopify |
$500 |
Access to Splunk via shard3-db2.ec2.shopify.com endpoint |
| Shopify |
$500 |
Open redirect allows changing iframe content in *.myshopify.com/admin/themes/<id>/editor |
| Shopify |
$500 |
Open Redirect possible in https://www.shopify.com/admin/ |
| Shopify |
$500 |
[apps.shopify.com] Open Redirect |
| Shopify |
$500 |
Open CouchDB on experiments.ec2.shopify.com:5984 |
| Shopify |
$500 |
Open redirect using checkout_url |
| Shopify |
$1,000 |
(BYPASS) Open redirect and XSS in supporthiring.shopify.com |
| Shopify |
$500 |
Access to Splunk at https://apt.ec2.shopify.com:8089 |
| Shopify |
$500 |
(FULL PATH DISCLOSURE) Unknown MySQL server host 'shardm-reader.chi2.shopify.io' |
| Shopify |
$500 |
Staff member can delete Private Apps |
| Shopify |
$500 |
(BYPASS) Open Redirect after login at http://ecommerce.shopify.com |
| Shopify |
$500 |
Delete/modify your own comment after limited access(IDOR) |
| Shopify |
$1,000 |
Unauthorized access to Zookeeper on http://locutus-zk3.ec2.shopify.com:2181 |
| Shopify |
- |
Redirect url after login is not validated |
| Shopify |
$1,500 |
Stealing livechat token and using it to chat as the user - user information disclosure |
| Shopify |
$500 |
https://windsor.shopify.com/ takeover |
| Shopify |
$3,000 |
Authentication Bypass on Icinga monitoring server |
| Shopify |
$1,500 |
Potentially Sensitive Information on GitHub |
| Shopify |
$500 |
Fetching external resources through svg images |
| Shopify |
$500 |
View all deleted comments and rating of any app . |
| Shopify |
$500 |
staff memeber can install apps even if have limitied access |
| Shopify |
$500 |
XSS on https://app.shopify.com/ |
| Shopify |
$500 |
Bypassed password authentication before enabling OTP verification |
| Shopify |
$500 |
Stored XSS via "Free Shipping" option (Discounts) |
| Shopify |
$1,500 |
Shopify GitHub Login and Password exposed all private source code might be available. |
| Shopify |
$500 |
XSS on hardware.shopify.com |
| Shopify |
$500 |
Stored XSS in https://checkout.shopify.com/ |
| Shopify |
$500 |
xss in the all widgets of shopifyapps.com |
| Shopify |
$500 |
File name and folder enumeration. |
| Shopify |
- |
Injection via CSV Export feature in Admin Orders |
| Shopify |
$500 |
XSS in Draft Orders in Timeline i SHOPIFY Admin Site! |
| Shopify |
$500 |
XSS on hardware.shopify.com |
| Shopify |
$500 |
CSRF on https://shopify.com/plus |
| Shopify |
$500 |
Full access to Amazon S3 bucket containing AWS CloudTrail logs |
| Shopify |
$500 |
www.shopify.com XSS via third-party script |
| Shopify |
$500 |
Attach Pinterest account - no State/CSRF parameter in Oauth Call back |
| Shopify |
$500 |
Twitter Disconnect CSRF |
| Shopify |
$500 |
Stored XSS in /admin/orders |
| Shopify |
$500 |
Strored Cross Site Scripting |
| Shopify |
$500 |
HTTP-Response-Splitting on v.shopify.com |
| Shopify |
$500 |
Reflective XSS on wholesale.shopify.com |
| Shopify |
$500 |
"Remember me" token generated when "Remember me" box unchecked |
| Shopify |
$500 |
many xss in widgets.shopifyapps.com |
| Shopify |
- |
[livechat.shopify.com] Cookie bomb at customer chats |
| Shopify |
$500 |
CSRF in Connecting Pinterest Account |
| Shopify |
$1,000 |
shopifyapps.com XSS on sales channels via currency formatting |
| Shopify |
$500 |
Open Redirect at *.myshopify.com/account/login?checkout_url= |
| Shopify |
$500 |
[CSRF] Install premium themes |
| Shopify |
$500 |
Open redirect using theme install |
| Shopify |
$500 |
XSS in creating tweets |
| Shopify |
- |
Cookie securing your "Opening soon" store is not secured against XSS |
| Shopify |
$500 |
An administrator without any permission is able to get order notifications using his APNS Token. |
| Shopify |
- |
CSV Excel Macro Injection Vulnerability in export list of current users - app.shopify.com |
| Shopify |
$500 |
deleted staff member can add his amazon marketplace web services account to the store. |
| Shopify |
$500 |
[CSRF] Activate PayPal Express Checkout |
| Shopify |
$1,000 |
S3 Buckets open to the world thanks to 'Authenticated Users' ACL |
| Shopify |
$500 |
Apps can access 'channels' beta api |
| Shopify |
$1,500 |
'Limited' RCE in certain places where Liquid is accepted |
| Shopify |
- |
Non-owner user can remove online store channel and re-add it. |
| Shopify |
$500 |
List of devices is accessible regardless of the account limitations |
| Shopify |
$500 |
SVG parser loads external resources on image upload |
| Shopify |
$500 |
Staff members with no permission can access to the files, uploaded by the administrator |
| Shopify |
$500 |
An administrator without the 'Settings' permission is able to see payment gateways |
| Shopify |
$500 |
A 'Full access' administrator is able to see the shop owners user details |
| Shopify |
$500 |
Staff members with no permission to access domains can access them. |
| Shopify |
$500 |
Missing of csrf protection |
| Shopify |
- |
Domain takoever - https://sellocdn.com |
| Shopify |
$500 |
Privilege escalation and circumvention of permission to limited access user |
| Shopify |
$500 |
Unauthorized access to any Store Admin's First & Last name |
| Shopify |
$500 |
Reflected XSS in cart at hardware.shopify.com |
| Shopify |
$4,000 |
Paid account can review\download any invoice of any other shop |
| Shopify |
$500 |
Some S3 Buckets are world readable (and one is world writeable) |
| Shopify |
$1,500 |
Arbitrary read on s3://shopify-delivery-app-storage/files |
| Shopify |
$2,500 |
Unauthorized access to all collections, products, pages from other stores |
| Shopify |
$500 |
Bypassing password requirement during deletion of accout |
| Shopify |
$2,000 |
Arbitrary write on s3://shopify-delivery-app-storage/files |
| Shopify |
$500 |
Missing authorization check on dashboard overviews |
| Shopify |
$500 |
get users information without full access |
| Shopify |
$1,000 |
Unauthenticated access to details of hidden products in any shop via title emuneration |
| Shopify |
$500 |
First & Last Name Disclosure of any Shopify Store Admin |
| Shopify |
$2,000 |
unauthorized access to all collections name |
| Shopify |
- |
The POS Firmware is leaking the root Password which can be used for unauthorized access to the device. |
| Shopify |
$500 |
Accessing Payments page and adding payment methods with limited access accounts |
| Shopify |
$2,500 |
unauthorized access to all customers first and last name |
| Shopify |
$500 |
customers password hash leak!!!! |
| Shopify |
- |
Passwords Returned in Later Responses. |
| Shopify |
$1,000 |
change Login Services settings without owner access |
| Shopify |
$1,000 |
create staff member without owner access |
| Shopify |
$500 |
Privilege escalation vulnerability |
| Shopify |
$500 |
www.shopify.com XSS on blog pages via sharing buttons |
| Shopify |
$500 |
XSS https://www.shopify.com/signup |
| Shopify |
$500 |
Self XSS in chat. |
| Shopify |
$500 |
XSS https://delivery.shopifyapps.com/ (Digital Downloads App in myshopify.com) |
| Shopify |
$1,000 |
TCP Source Port Pass Firewall |
| Shopify |
$3,000 |
Attention! Remote Code Execution at http://wpt.ec2.shopify.com/ |
| Shopify |
$500 |
Reflected XSS in chat |
| Shopify |
- |
Body injection in mailto link while commenting shop blog |
| Shopify |
- |
Prevent Shop Admin From Seeing his Installed Apps / Install Persistent Unremovable App |
| Shopify |
$500 |
XSS at Bulk editing ProductVariants |
| Shopify |
$500 |
XSS in Myshopify Admin Site in DISCOUNTS |
| Shopify |
$1,000 |
Bypass access restrictions from API |
| Shopify |
$500 |
SSRF via 'Insert Image' feature of Products/Collections/Frontpage |
| Shopify |
$500 |
SSRF via 'Add Image from URL' feature |
| Shopify |
$500 |
Expire User Sessions in Admin Site does not expire user session in Shopify Application in IOS |
| Shopify |
$500 |
XSS at Bulk editing products |
| Shopify |
$500 |
XSS at importing Product List |
| Shopify |
$500 |
[www.*.myshopify.com] CRLF Injection |
| Shopify |
- |
Header Misconfiguration - PHP API |
| Shopify |
$1,000 |
Privilege Escalation - A `MEMBER` with no ACCESS to `ORDERS` can still access the orders by using `Order Printer APP` |
| Shopify |
$500 |
Bulk Discount App in myshopify.com exposes http://bulkdiscounts.shopifyapps.com vulnerable to XSS |
| Shopify |
$500 |
XSS in myshopify.com Admin site in TAX Overrides |
| Shopify |
$500 |
Stored XSS in the Shopify Discussion Forums |
| Shopify |
$500 |
SSL cookie without secure flag set |
| Shopify |
$500 |
Content Spoofing |
| Shopify |
$500 |
amazon aws s3 bucket content is public :- http://shopify.com.s3.amazonaws.com/ |
| Shopify |
$500 |
XSS in experts.shopify.com |
| Shopify |
- |
comment out causes information disclosure |
| Shopify |
$4,000 |
Notification request disclose private information about other myshopify accounts |
| Shopify |
- |
Multiple issues on Checkout Process |
| Shopify |
$500 |
XSS on ecommerce.shopify.com |
| Shopify |
- |
XSS on support.shopify.com |
| Shopify |
$500 |
Invitation issue |
| Shopify |
- |
XSS - URL Redirects |
| Shopify |
$500 |
Payment gateway status transferred to Shopify without authentication |
| Shopify |
$1,000 |
Shop admin can change external login services |
| Shopify |
$1,000 |
IDOR expire other user sessions |
| Shopify |
$2,000 |
Shopify android client all API request's response leakage, including access_token, cookie, response header, response body content |
| Shopify |
$500 |
CSRF token fixation in facebook store app that can lead to adding attacker to victim acc |
| Shopify |
$1,000 |
[persistent cross-site scripting] customers can target admins |
| Shopify |
$500 |
Force 500 Internal Server Error on any shop (for one user) |
| Shopify |
- |
Lack of SSL Pinning on POS Application ( iOS ) |
| Shopify |
$500 |
Open Redirect after login at http://ecommerce.shopify.com |
| Shopify |
$500 |
Authentication Failed Mobile version |
| Shopify |
$500 |
Open redirection in OAuth |
| Shopify |
$500 |
Missing spf flags for myshopify.com |
| Shopify |
$500 |
Xss in website's link |