Public Shopify bug reports.

Team Bounty Title
Shopify $500 IDOR [partners.shopify.com] - User with ONLY Manage apps permission is able to get shops info and staff names from inside the shop
Shopify $500 Stored XSS in *.myshopify.com
Shopify - SQL Exception thrown during product import
Shopify $5,000 XSS on $shop$.myshopify.com/admin/ and partners.shopify.com via whitelist bypass in SVG icon for sales channel applications
Shopify $3,000 XSS on any Shopify shop via abuse of the HTML5 structured clone algorithm in postMessage listener on "/:id/digital_wallets/dialog"
Shopify - API Webhooks Fire And Are Unlisted After Permissions Removed
Shopify $2,000 Reflected XSS in <any>.myshopify.com through theme preview
Shopify - Open Redirect in shopify app URL
Shopify - ShopifyAPI is vulnerable to timing attacks.
Shopify $1,000 XSS in $shop$.myshopify.com/admin/ via twine template injection in "Shopify.API.Modal.input" method when using a malicious app
Shopify $800 XSS in $shop$.myshopify.com/admin/ via "Button Objects" in malicious app
Shopify $500 Full access at an internal service of Shopify
Shopify $500 Stored passive XSS at scheduled posts (kitcrm.com)
Shopify $1,500 Stored XSS in [shop].myshopify.com/admin/orders/[id]
Shopify - Setting Arbitrary Cookie at kitcrm.com
Shopify $500 Stealing users' facebook access tokens - kitcrm.com
Shopify $500 Subdomain takeover on s3.shopify.com
Shopify $500 apps.shopify.com - CSRF token leakage through Google Analytics
Shopify $1,000 CSRF in all API endpoints when authenticated using HTTP Authentication
Shopify $500 Authentication Bypass on monitoring server
Shopify $1,000 Stored XSS in blog comments through Shopify API
Shopify $500 XSS on postal codes
Shopify $500 XSS on manually entering Postal codes
Shopify $500 Unauthenticated Stored XSS on <any>.myshopify.com via checkout page
Shopify - Redirect in adding advance cash on delivery app
Shopify $500 Stored XSS at 'Buy Button' page
Shopify $500 XSS in my.shopify.com in widget
Shopify $1,500 Misconfiguration in Two Factor Authorisation
Shopify $500 race condition in adding team members
Shopify $2,000 Able to Login deactivated staff account in shopify app mobile
Shopify $500 [ecommerce.shopify.com] Invalidated redirection
Shopify $500 password less login token expiration issue
Shopify $500 Add signature to transactions without any permission
Shopify $500 Open redirect in bulk edit
Shopify $500 Deleted Post and Administrative Function Access in eCommerce Forum
Shopify $500 XSS in SHOPIFY: Unsanitized Supplier Name can lead to XSS in Transfers Timeline
Shopify $500 Unsanitized Location Name in POS Channel can lead to XSS in Orders Timeline
Shopify - Subdomain Takeover in http://genghis-cdn.shopify.io/ pointing to Fastly
Shopify $500 Access to Splunk via shard3-db2.ec2.shopify.com endpoint
Shopify $500 Open redirect allows changing iframe content in *.myshopify.com/admin/themes/<id>/editor
Shopify $500 Open Redirect possible in https://www.shopify.com/admin/
Shopify $500 [apps.shopify.com] Open Redirect
Shopify $500 Open CouchDB on experiments.ec2.shopify.com:5984
Shopify $500 Open redirect using checkout_url
Shopify $1,000 (BYPASS) Open redirect and XSS in supporthiring.shopify.com
Shopify $500 Access to Splunk at https://apt.ec2.shopify.com:8089
Shopify $500 (FULL PATH DISCLOSURE) Unknown MySQL server host 'shardm-reader.chi2.shopify.io'
Shopify $500 Staff member can delete Private Apps
Shopify $500 (BYPASS) Open Redirect after login at http://ecommerce.shopify.com
Shopify $500 Delete/modify your own comment after limited access(IDOR)
Shopify $1,000 Unauthorized access to Zookeeper on http://locutus-zk3.ec2.shopify.com:2181
Shopify - Redirect url after login is not validated
Shopify $1,500 Stealing livechat token and using it to chat as the user - user information disclosure
Shopify $500 https://windsor.shopify.com/ takeover
Shopify $3,000 Authentication Bypass on Icinga monitoring server
Shopify $1,500 Potentially Sensitive Information on GitHub
Shopify $500 Fetching external resources through svg images
Shopify $500 View all deleted comments and rating of any app .
Shopify $500 staff memeber can install apps even if have limitied access
Shopify $500 XSS on https://app.shopify.com/
Shopify $500 Bypassed password authentication before enabling OTP verification
Shopify $500 Stored XSS via "Free Shipping" option (Discounts)
Shopify $1,500 Shopify GitHub Login and Password exposed all private source code might be available.
Shopify $500 XSS on hardware.shopify.com
Shopify $500 Stored XSS in https://checkout.shopify.com/
Shopify $500 xss in the all widgets of shopifyapps.com
Shopify $500 File name and folder enumeration.
Shopify - Injection via CSV Export feature in Admin Orders
Shopify $500 XSS in Draft Orders in Timeline i SHOPIFY Admin Site!
Shopify $500 XSS on hardware.shopify.com
Shopify $500 CSRF on https://shopify.com/plus
Shopify $500 Full access to Amazon S3 bucket containing AWS CloudTrail logs
Shopify $500 www.shopify.com XSS via third-party script
Shopify $500 Attach Pinterest account - no State/CSRF parameter in Oauth Call back
Shopify $500 Twitter Disconnect CSRF
Shopify $500 Stored XSS in /admin/orders
Shopify $500 Strored Cross Site Scripting
Shopify $500 HTTP-Response-Splitting on v.shopify.com
Shopify $500 Reflective XSS on wholesale.shopify.com
Shopify $500 "Remember me" token generated when "Remember me" box unchecked
Shopify $500 many xss in widgets.shopifyapps.com
Shopify - [livechat.shopify.com] Cookie bomb at customer chats
Shopify $500 CSRF in Connecting Pinterest Account
Shopify $1,000 shopifyapps.com XSS on sales channels via currency formatting
Shopify $500 Open Redirect at *.myshopify.com/account/login?checkout_url=
Shopify $500 [CSRF] Install premium themes
Shopify $500 Open redirect using theme install
Shopify $500 XSS in creating tweets
Shopify - Cookie securing your "Opening soon" store is not secured against XSS
Shopify $500 An administrator without any permission is able to get order notifications using his APNS Token.
Shopify - CSV Excel Macro Injection Vulnerability in export list of current users - app.shopify.com
Shopify $500 deleted staff member can add his amazon marketplace web services account to the store.
Shopify $500 [CSRF] Activate PayPal Express Checkout
Shopify $1,000 S3 Buckets open to the world thanks to 'Authenticated Users' ACL
Shopify $500 Apps can access 'channels' beta api
Shopify $1,500 'Limited' RCE in certain places where Liquid is accepted
Shopify - Non-owner user can remove online store channel and re-add it.
Shopify $500 List of devices is accessible regardless of the account limitations
Shopify $500 SVG parser loads external resources on image upload
Shopify $500 Staff members with no permission can access to the files, uploaded by the administrator
Shopify $500 An administrator without the 'Settings' permission is able to see payment gateways
Shopify $500 A 'Full access' administrator is able to see the shop owners user details
Shopify $500 Staff members with no permission to access domains can access them.
Shopify $500 Missing of csrf protection
Shopify - Domain takoever - https://sellocdn.com
Shopify $500 Privilege escalation and circumvention of permission to limited access user
Shopify $500 Unauthorized access to any Store Admin's First & Last name
Shopify $500 Reflected XSS in cart at hardware.shopify.com
Shopify $4,000 Paid account can review\download any invoice of any other shop
Shopify $500 Some S3 Buckets are world readable (and one is world writeable)
Shopify $1,500 Arbitrary read on s3://shopify-delivery-app-storage/files
Shopify $2,500 Unauthorized access to all collections, products, pages from other stores
Shopify $500 Bypassing password requirement during deletion of accout
Shopify $2,000 Arbitrary write on s3://shopify-delivery-app-storage/files
Shopify $500 Missing authorization check on dashboard overviews
Shopify $500 get users information without full access
Shopify $1,000 Unauthenticated access to details of hidden products in any shop via title emuneration
Shopify $500 First & Last Name Disclosure of any Shopify Store Admin
Shopify $2,000 unauthorized access to all collections name
Shopify - The POS Firmware is leaking the root Password which can be used for unauthorized access to the device.
Shopify $500 Accessing Payments page and adding payment methods with limited access accounts
Shopify $2,500 unauthorized access to all customers first and last name
Shopify $500 customers password hash leak!!!!
Shopify - Passwords Returned in Later Responses.
Shopify $1,000 change Login Services settings without owner access
Shopify $1,000 create staff member without owner access
Shopify $500 Privilege escalation vulnerability
Shopify $500 www.shopify.com XSS on blog pages via sharing buttons
Shopify $500 XSS https://www.shopify.com/signup
Shopify $500 Self XSS in chat.
Shopify $500 XSS https://delivery.shopifyapps.com/ (Digital Downloads App in myshopify.com)
Shopify $1,000 TCP Source Port Pass Firewall
Shopify $3,000 Attention! Remote Code Execution at http://wpt.ec2.shopify.com/
Shopify $500 Reflected XSS in chat
Shopify - Body injection in mailto link while commenting shop blog
Shopify - Prevent Shop Admin From Seeing his Installed Apps / Install Persistent Unremovable App
Shopify $500 XSS at Bulk editing ProductVariants
Shopify $500 XSS in Myshopify Admin Site in DISCOUNTS
Shopify $1,000 Bypass access restrictions from API
Shopify $500 SSRF via 'Insert Image' feature of Products/Collections/Frontpage
Shopify $500 SSRF via 'Add Image from URL' feature
Shopify $500 Expire User Sessions in Admin Site does not expire user session in Shopify Application in IOS
Shopify $500 XSS at Bulk editing products
Shopify $500 XSS at importing Product List
Shopify $500 [www.*.myshopify.com] CRLF Injection
Shopify - Header Misconfiguration - PHP API
Shopify $1,000 Privilege Escalation - A `MEMBER` with no ACCESS to `ORDERS` can still access the orders by using `Order Printer APP`
Shopify $500 Bulk Discount App in myshopify.com exposes http://bulkdiscounts.shopifyapps.com vulnerable to XSS
Shopify $500 XSS in myshopify.com Admin site in TAX Overrides
Shopify $500 Stored XSS in the Shopify Discussion Forums
Shopify $500 SSL cookie without secure flag set
Shopify $500 Content Spoofing
Shopify $500 amazon aws s3 bucket content is public :- http://shopify.com.s3.amazonaws.com/
Shopify $500 XSS in experts.shopify.com
Shopify - comment out causes information disclosure
Shopify $4,000 Notification request disclose private information about other myshopify accounts
Shopify - Multiple issues on Checkout Process
Shopify $500 XSS on ecommerce.shopify.com
Shopify - XSS on support.shopify.com
Shopify $500 Invitation issue
Shopify - XSS - URL Redirects
Shopify $500 Payment gateway status transferred to Shopify without authentication
Shopify $1,000 Shop admin can change external login services
Shopify $1,000 IDOR expire other user sessions
Shopify $2,000 Shopify android client all API request's response leakage, including access_token, cookie, response header, response body content
Shopify $500 CSRF token fixation in facebook store app that can lead to adding attacker to victim acc
Shopify $1,000 [persistent cross-site scripting] customers can target admins
Shopify $500 Force 500 Internal Server Error on any shop (for one user)
Shopify - Lack of SSL Pinning on POS Application ( iOS )
Shopify $500 Open Redirect after login at http://ecommerce.shopify.com
Shopify $500 Authentication Failed Mobile version
Shopify $500 Open redirection in OAuth
Shopify $500 Missing spf flags for myshopify.com
Shopify $500 Xss in website's link