TOPSHOPIFY.md

Top reports from Shopify program at HackerOne:

1. Takeover an account that doesn't have a Shopify ID and more to Shopify - 2974 upvotes, $0
2. Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation to Any Shop Owner by Taking Advantage of the Shopify SSO to Shopify - 1905 upvotes, $0
3. Github access token exposure to Shopify - 1469 upvotes, $50000
4. [Part II] Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation to Shopify - 892 upvotes, $0
5. H1514 Remote Code Execution on kitcrm using bulk customer update of Priority Products to Shopify - 828 upvotes, $0
6. SSRF in Exchange leads to ROOT access in all instances to Shopify - 571 upvotes, $0
7. Email Confirmation Bypass in your-store.myshopify.com which leads to privilege escalation to Shopify - 554 upvotes, $0
8. Shopify Stocky App OAuth Misconfiguration to Shopify - 523 upvotes, $0
9. H1514 Server Side Template Injection in Return Magic email templates? to Shopify - 408 upvotes, $0
10. H1514 Ability to MiTM Shopify PoS Session to Takeover Communications to Shopify - 370 upvotes, $0
11. XSS while logging using Google to Shopify - 338 upvotes, $1750
12. Stored XSS in my staff name fired in another your internal panel to Shopify - 321 upvotes, $0
13. Shopify admin authentication bypass using partners.shopify.com to Shopify - 307 upvotes, $0
14. Able to Takeover Merchants Accounts Even They Have Already Setup SSO, After Bypassing the Email Confirmation to Shopify - 307 upvotes, $0
15. CSRF on connecting Paypal as Payment Provider to Shopify - 301 upvotes, $0
16. Ability to bypass partner email confirmation to take over any store given an employee email to Shopify - 261 upvotes, $15250
17. DoS Vulnerability via Cache Poisoning on cdn.shopify.com and shopify-assets.shopifycdn.com to Shopify - 248 upvotes, $3800
18. XSS at jamfpro.shopifycloud.com to Shopify - 233 upvotes, $9400
19. Shopify Partners Invitation Process Allows Privilege Escalation Without Email Verification to Shopify - 228 upvotes, $3500
20. H1514 DOMXSS on Embedded SDK via Shopify.API.setWindowLocation abusing cookie Stuffing to Shopify - 192 upvotes, $0
21. H1514 [*.(my)shopify.com] - Viewing Password Protected Content to Shopify - 190 upvotes, $3000
22. GraphQL AdminGenerateSessionPayload is leaked to staff with no permission to Shopify - 173 upvotes, $0
23. Limited Privilege User Can Create Unauthorized Referrals on partners.shopify.com to Shopify - 172 upvotes, $0
24. XSS at https://exchangemarketplace.com/blogsearch to Shopify - 171 upvotes, $0
25. IDOR on GraphQL queries BillingDocumentDownload and BillDetails to Shopify - 169 upvotes, $5000
26. [h1-2102] FQDN takeover on all Shopify wholesale customer domains by trailing dot (RFC 1034) to Shopify - 163 upvotes, $3100
27. Session works after logout from Shopify account and password of online store is displayed to Shopify - 156 upvotes, $0
28. XSS in www.shopify.com/markets?utm_source= to Shopify - 156 upvotes, $0
29. Undocumented fileCopy GraphQL API to Shopify - 152 upvotes, $2000
30. Informations disclosure - Access to some checkout informations to Shopify - 146 upvotes, $0
31. H1514 Session Fixation on multiple shopify-built apps on *.shopifycloud.com and *.shopifyapps.com to Shopify - 144 upvotes, $0
32. User with removed manage shops permissions is still able to make changes to a shop to Shopify - 143 upvotes, $0
33. Stored XSS in SVG file as data: url to Shopify - 142 upvotes, $5300
34. HTTP Response Header Injection in shopify/pitchfork + Rack 3 to Shopify - 133 upvotes, $800
35. Create free Shopify application credits. to Shopify - 133 upvotes, $0
36. [Information Disclosure] Amazon S3 Bucket of Shopify Ping (iOS) have public access of other users image to Shopify - 132 upvotes, $2900
37. Stored XSS in private message to Shopify - 124 upvotes, $1000
38. Reflected XSS In Marketing Reports Page On *.myshopify.com/admin to Shopify - 123 upvotes, $0
39. XSS on any Shopify shop via abuse of the HTML5 structured clone algorithm in postMessage listener on "/:id/digital_wallets/dialog" to Shopify - 119 upvotes, $3000
40. Disclose Any Store products, Files, Purchase Orders Via Email through Shopify Stocky APP to Shopify - 116 upvotes, $0
41. Access to Employee calendar disclosing internal presentation and meetings to Shopify - 108 upvotes, $1000
42. Account Takeover Vulnerability in Shopify Collabs Platform Due to Missing Email Verification to Shopify - 107 upvotes, $800
43. Stored XSS in Shopify Chat to Shopify - 105 upvotes, $500
44. Reflected XSS on help.shopify.com to Shopify - 104 upvotes, $500
45. Reflected XSS in *.myshopify.com/account/register to Shopify - 103 upvotes, $0
46. Admin panel Exposure without credential at https://plus-website.shopifycloud.com/admin.php to Shopify - 102 upvotes, $2900
47. Bypass a fix for report #708013 to Shopify - 101 upvotes, $3500
48. Reflected XSS online-store-git.shopifycloud.com to Shopify - 97 upvotes, $3500
49. Exposed Cortex API at https://cortex-ingest.shopifycloud.com/ to Shopify - 93 upvotes, $6300
50. Ability to publish a paid theme without purchasing it. to Shopify - 89 upvotes, $2000
51. Bypass of biometrics security functionality is possible in Android application (com.shopify.mobile) to Shopify - 88 upvotes, $500
52. Add new development stores without permission to Shopify - 88 upvotes, $0
53. Reverse Proxy misroute leading to steal X-Shopify-Access-Token header to Shopify - 87 upvotes, $1000
54. XSS on $shop$.myshopify.com/admin/ and partners.shopify.com via whitelist bypass in SVG icon for sales channel applications to Shopify - 85 upvotes, $5000
55. No Session Expiry after log-out, attacker can reuse the old cookies to Shopify - 84 upvotes, $500
56. Ability to link a Google account to another staff account/store owner that isn't linked yet to Shopify - 84 upvotes, $0
57. https://themes.shopify.com::: Host header web cache poisoning lead to DoS to Shopify - 79 upvotes, $2900
58. SVG Server Side Request Forgery (SSRF) to Shopify - 78 upvotes, $500
59. URL Path Manipulation Enables Cache Poisoning of Amazon Affiliate Products in Shopify Linkpop to Shopify - 78 upvotes, $500
60. Reflective Cross-site Scripting via Newsletter Form to Shopify - 77 upvotes, $2000
61. ██████ DOM XSS via Shopify.API.remoteRedirect to Shopify - 76 upvotes, $0
62. Blog posts atom feed of a store with password protection can be accessed by anyone to Shopify - 75 upvotes, $5000
63. Stored XSS in Discounts section to Shopify - 75 upvotes, $1000
64. xss stored to Shopify - 75 upvotes, $0
65. Ability to verify any email address you don't own - accounts.shopify.com to Shopify - 74 upvotes, $0
66. Exposure of shopify employee summit page allows anonymous user to place orders for free books to Shopify - 74 upvotes, $0
67. Stored XSS in /admin/product and /admin/collections to Shopify - 72 upvotes, $5300
68. CircleCI token in github repo allows for access to sensitive build information to Shopify - 72 upvotes, $0
69. Blind Stored XSS in shopify internal Parquet Viewer to Shopify - 72 upvotes, $0
70. help.shopify.com Cross Site Scripting to Shopify - 71 upvotes, $0
71. Stealing livechat token and using it to chat as the user - user information disclosure to Shopify - 70 upvotes, $0
72. myshopify.com domain takeover to Shopify - 70 upvotes, $0
73. Reflected XSS in <any>.myshopify.com through theme preview to Shopify - 69 upvotes, $0
74. POST-based XSS on apps.shopify.com to Shopify - 68 upvotes, $500
75. Session works after logout from Shopify account to Shopify - 68 upvotes, $0
76. xss is triggered on your web to Shopify - 68 upvotes, $0
77. A staff member with no permissions can edit Store Customer Email to Shopify - 67 upvotes, $1500
78. Subdomain Takeover Via unclaimed Heroku Instance tim-exclusive.shopify.com to Shopify - 67 upvotes, $500
79. Stored XSS through Facebook Page Connection to Shopify - 67 upvotes, $0
80. A non-privileged user may create an admin account in Stocky to Shopify - 66 upvotes, $1600
81. Shopify GitHub Login and Password exposed all private source code might be available. to Shopify - 66 upvotes, $1500
82. Cache poisoning via X-Forwarded-Host in www.shopify.com/partners/blog to Shopify - 66 upvotes, $1000
83. Ability to Disable the Login Attempt of any Shopify Owner for 24 hrs (Zero_Click) to Shopify - 65 upvotes, $900
84. Disclose customer orders details by shopify chat application. to Shopify - 64 upvotes, $2500
85. Insufficient session expiration in the com.shopify.ping android app to Shopify - 63 upvotes, $0
86. Xss triggered in Your-store.myshopify.com/admin/apps/shopify-email/editor/**** to Shopify - 62 upvotes, $2900
87. Session Persistence Designed to Keep Users Logged In Across Multiple Devices (Intended Behaviour) to Shopify - 62 upvotes, $0
88. Using GraphQL, STAFF with NO explicit permissions on Store can retrieve Shopify Payments Balance. to Shopify - 61 upvotes, $500
89. URL Scheme Validation Bypass in Shopify Mobile App Allows Javascript Execution to Shopify - 61 upvotes, $0
90. Staff without Manage Themes permissions can update themes to Shopify - 60 upvotes, $1900
91. Open redirect using theme install to Shopify - 60 upvotes, $0
92. Unauthenticated access to Zendesk tickets through athena-flex-production.shopifycloud.com Okta bypass to Shopify - 59 upvotes, $0
93. Reflected XSS on $Any$.myshopify.com/admin to Shopify - 58 upvotes, $1500
94. Removing parts of URL from jQuery request exposes links for download of Paid Digital Assets of the most recent Order placed by anyone on the store! to Shopify - 57 upvotes, $2900
95. H1514 [beerify.shopifycloud.com] GraphQL discloses internal beer consumption to Shopify - 57 upvotes, $802
96. staff can able to extend shopify trial period without admin permission to Shopify - 56 upvotes, $0
97. Stored XSS on activity to Shopify - 55 upvotes, $2000
98. Self XSS to Shopify - 55 upvotes, $500
99. XSS Stored via Upload avatar PNG [HTML] File in accounts.shopify.com to Shopify - 55 upvotes, $0
100. authenticity token not verfied leads to change business name to Shopify - 54 upvotes, $1900
101. Non-store owners can transfer Shopify-managed domain to another domain provider to Shopify - 54 upvotes, $0
102. Staff who only have apps and channels permission can do a takeover account at the wholesale store (Bypass get invitation link) to Shopify - 53 upvotes, $1600
103. SSRF in hatchful.shopify.com to Shopify - 53 upvotes, $500
104. Unauthenticated read and write access to ALL endpoints of a store is possible for removed staff members who had "Apps" permission to Shopify - 53 upvotes, $0
105. Stored xss to Shopify - 52 upvotes, $1000
106. Inject page in admin panel via Shopify.API.pushState to Shopify - 51 upvotes, $500
107. Stored XSS at https://linkpop.com to Shopify - 51 upvotes, $0
108. EC2 Takeover at turn.shopify.com to Shopify - 51 upvotes, $0
109. Bypass of fix #1370749 to Shopify - 50 upvotes, $900
110. XSS within Shopify Email App - Admin to Shopify - 50 upvotes, $0
111. Cross-site scripting on api.collabs.shopify.com to Shopify - 49 upvotes, $1600
112. ability to install paid themes for free to Shopify - 49 upvotes, $0
113. Able to Login deactivated staff account in shopify app mobile to Shopify - 48 upvotes, $0
114. Reflected XSS to Shopify - 48 upvotes, $0
115. H1514 Bypass Wholesale account signup restrictions to Shopify - 48 upvotes, $0
116. [h1-2102] [Oberlo] Least privileged user can cancel account owner's subscription via POST on /payments/subscribe to Shopify - 48 upvotes, $0
117. apps.shopify.com - CSRF token leakage through Google Analytics to Shopify - 47 upvotes, $0
118. Collaborators and Staff members without all necessary permissions are able to create, edit and install custom apps to Shopify - 46 upvotes, $1900
119. xss stored in https://your store.myshopify.com/admin/ to Shopify - 46 upvotes, $1000
120. Shopify.com Web Cache Deception vulnerability leads to personal information and CSRF tokens leakage to Shopify - 46 upvotes, $800
121. Stored XSS in blog comments through Shopify API to Shopify - 46 upvotes, $0
122. [h1-2102] [Yaworski's Broskis] Low privilege user can read POS PINs via graphql and elevate his privilege to Shopify - 46 upvotes, $0
123. H1514 DOM XSS on checkout.shopify.com via postMessage handler on /:id/sandbox/google_maps to Shopify - 45 upvotes, $500
124. Subdomain Takeover - https://competition.shopify.com/ to Shopify - 45 upvotes, $0
125. XSS on services.shopify.com to Shopify - 43 upvotes, $500
126. Blind Stored XSS Via Staff Name to Shopify - 42 upvotes, $3000
127. Authentication Bypass on Icinga monitoring server to Shopify - 42 upvotes, $0
128. H1514 Removed Staff members who had "Apps" permission can still modify flow app connections to Shopify - 42 upvotes, $0
129. User sensitive information disclosure to Shopify - 40 upvotes, $1000
130. Disclosure of Github Issues to Shopify - 40 upvotes, $0
131. Exposed Slinky Instance Admin Panel to Shopify - 40 upvotes, $0
132. Misconfiguration in Two Factor Authorisation to Shopify - 39 upvotes, $1500
133. Inject page in admin panel via Shopify.API.pushState with protocol invalid to Shopify - 39 upvotes, $500
134. App messaging can be hijacked by third-party websites to Shopify - 39 upvotes, $0
135. Stored XSS on buy button to Shopify - 38 upvotes, $500
136. Potential to abuse pricing errors in saved carts to Shopify - 38 upvotes, $0
137. Removed staff members who had "Manage shops" permission can still create development stores to Shopify - 38 upvotes, $0
138. Tinymce 2.4.0 to Shopify - 37 upvotes, $2000
139. (BYPASS) Open redirect and XSS in supporthiring.shopify.com to Shopify - 37 upvotes, $0
140. StoreFront API allows for a brute force attack on customer login by not timing out ALL attempts to Shopify - 37 upvotes, $0
141. Stored XSS on demo app link to Shopify - 37 upvotes, $0
142. Low Privileged user can add or remove cash to/from sales register to Shopify - 37 upvotes, $0
143. Stored XSS in [shop].myshopify.com/admin/orders/[id] to Shopify - 36 upvotes, $0
144. Replace other user files in Inbox messages to Shopify - 36 upvotes, $0
145. Low privileged user can create high privileged user's KITCRM authorization token and can read and write message to KIT to Shopify - 36 upvotes, $0
146. One Click XSS in [www.shopify.com] to Shopify - 36 upvotes, $0
147. XSS on product comments in transfers to Shopify - 35 upvotes, $500
148. Timeline Editor Self-XSS (Previous Fix #738072 Incomplete) to Shopify - 35 upvotes, $500
149. XSS *.myshopify.com/collections/vendors?q= to Shopify - 35 upvotes, $0
150. Unathorised access to admin endpoint on plus-website-staging5.shopifycloud.com to Shopify - 35 upvotes, $0
151. Race condition at create new Location to Shopify - 34 upvotes, $500
152. DOM XSS via Shopify.API.Modal.initialize to Shopify - 34 upvotes, $500
153. Stored XSS Deleting Menu Links in the Shopify Admin to Shopify - 34 upvotes, $0
154. Self-XSS in password reset functionality to Shopify - 34 upvotes, $0
155. Production Key and Data Found on Subdomain No Longer Operated by Shopify / Dangling DNS to Shopify - 34 upvotes, $0
156. Bypass Filter and get Stored Xss to Shopify - 33 upvotes, $3000
157. [Privilege Escalation] Shopify Admin -- Permission from Settings to Customer to Shopify - 33 upvotes, $0
158. Script Editor preview token still working with uninstalled application, even for unpublished script to Shopify - 33 upvotes, $0
159. Xss At Shopify Email App to Shopify - 33 upvotes, $0
160. [h1-2102] shopApps query from the graphql at /users/api returns all existing created apps, including private ones to Shopify - 32 upvotes, $1900
161. Stored XSS in Dovetale by application of creator to Shopify - 32 upvotes, $1600
162. XSS on "widgets.shopifyapps.com" via "stripping" attribute and "shop" parameter to Shopify - 32 upvotes, $1000
163. Cross-site scripting in "Contact customer" form to Shopify - 32 upvotes, $0
164. Add new managed stores without permission to Shopify - 32 upvotes, $0
165. [h1-2102] Wholesale - CSRF to Generate Invitation Token for a Customer and Move Customer to Invited Status to Shopify - 32 upvotes, $0
166. [h1-2102] Improper Access Control at https://shopify.plus/[id]/users/api in operation UpdateOrganizationUserTfaEnforcement to Shopify - 32 upvotes, $0
167. Ability to see password protected content by bypassing the password page of shopify preview URL for new development stores (as of August 17, 2020) to Shopify - 31 upvotes, $1500
168. XSS in $shop$.myshopify.com/admin/ via twine template injection in "Shopify.API.Modal.input" method when using a malicious app to Shopify - 31 upvotes, $1000
169. Fetching external resources through svg images to Shopify - 31 upvotes, $0
170. H1514 Deanonymizing Exchange Marketplace private listings to Shopify - 30 upvotes, $1000
171. XSS in $shop$.myshopify.com/admin/ via "Button Objects" in malicious app to Shopify - 30 upvotes, $800
172. any staff members have the ability to comment in [discounts] he/she can disable comment section it to other staff even the admin of the store to Shopify - 30 upvotes, $0
173. Stored XSS in https://productreviews.shopifyapps.com/proxy/v4/reviews/product to Shopify - 30 upvotes, $0
174. Ability to connect an external login service for unverified emails/accounts at accounts.shopify.com to Shopify - 29 upvotes, $1600
175. IDOR [partners.shopify.com] - User with ONLY Manage apps permission is able to get shops info and staff names from inside the shop to Shopify - 29 upvotes, $500
176. Senseitive data Related to Shopify Host -> https://shopify.zendesk.com/ to Shopify - 29 upvotes, $500
177. Potentially Sensitive Information on GitHub to Shopify - 29 upvotes, $0
178. CSRF in all API endpoints when authenticated using HTTP Authentication to Shopify - 29 upvotes, $0
179. Account takeover intercepting magic link for Arrive app to Shopify - 29 upvotes, $0
180. Path Traversal in App Proxy to Shopify - 29 upvotes, $0
181. Self xss in product reviews to Shopify - 29 upvotes, $0
182. [h1-2102] Improper Access Control at https://shopify.plus/[id]/users/api in operation UpdateOrganizationUserRole to Shopify - 29 upvotes, $0
183. Open Redirect at *.myshopify.com/account/login?checkout_url= to Shopify - 28 upvotes, $0
184. Open redirect in bulk edit to Shopify - 28 upvotes, $0
185. Bypass report #416983 - Removed Staff members who had "Apps" permission can still modify flow app connections to Shopify - 28 upvotes, $0
186. Attention! Remote Code Execution at http://wpt.ec2.shopify.com/ to Shopify - 27 upvotes, $0
187. subdomain Takeover at blog.exchangemarketplace.com to Shopify - 27 upvotes, $0
188. Shop App - Attacker is able to intercept authorization code during authentication (OAuth) and is able to get access to Microsoft Outlook email account to Shopify - 26 upvotes, $900
189. None permission staff member can identify installed application and products attached to it to Shopify - 26 upvotes, $500
190. user with no draft order permission can still perform action on draft order's in stocky app (idor) to Shopify - 26 upvotes, $500
191. Stored XSS on apps.shopify.com to Shopify - 26 upvotes, $500
192. Stealing users' facebook access tokens - kitcrm.com to Shopify - 26 upvotes, $0
193. Preview bar: Incomplete message origin validation results in XSS to Shopify - 26 upvotes, $0
194. [ux.shopify.com] Subdomain takeover to Shopify - 26 upvotes, $0
195. Stored - XSS to Shopify - 26 upvotes, $0
196. Sidekiq dashboard exposed at notary.shopifycloud.com to Shopify - 26 upvotes, $0
197. Staff can use BULK_OPERATIONS_FINISH webhook topic using Graphql without permissions all to Shopify - 26 upvotes, $0
198. H1514 Simple phishing using auto-created modal with weak URL-pattern check in incontext_app_link to Shopify - 25 upvotes, $0
199. Direct Access To admin Dashboard to Shopify - 25 upvotes, $0
200. Is the Google Bucket Meant To Be Publicly Listable? https://cdn.shopify.com/shop-assets/ to Shopify - 25 upvotes, $0
201. XSS seems to work again after change to linkpop at https://linkpop.com/testnaglinagli to Shopify - 25 upvotes, $0
202. Staff can create workflows in Shopify Admin without apps permission to Shopify - 25 upvotes, $0
203. Low Privileged Staff Member Can Export Billing Charges to Shopify - 24 upvotes, $1900
204. IDOR expire other user sessions to Shopify - 24 upvotes, $1000
205. H1514 Extract information about other sites (new sites) through Affiliate/Referral pages to Shopify - 24 upvotes, $0
206. Ability to generate shipping labels in another store orders to Shopify - 24 upvotes, $0
207. Staff with no permissions can listen to Shopify Ping conversations by registering to its different WebSocket Events to Shopify - 24 upvotes, $0
208. GraphQL Introspection Enabled on Shopify API Endpoint (Intended Behavior) to Shopify - 24 upvotes, $0
209. Subdomain Takeover in http://genghis-cdn.shopify.io/ pointing to Fastly to Shopify - 23 upvotes, $0
210. Admin bar: Incomplete message origin validation results in XSS to Shopify - 23 upvotes, $0
211. xss triggered in "myshopify.com/admin/product" to Shopify - 23 upvotes, $0
212. Apache Flink Dashboard exposure at https://streaming-sales-model-production.flink.shopifykloud.com to Shopify - 23 upvotes, $0
213. [h1-2102] [Plus] User with Store Management Permission can Make changeDomainEnforcementState - that should be limited to User Management Only to Shopify - 23 upvotes, $0
214. Order Creation Webhooks can be edited/deleted by STAFF with Settings only permission to Shopify - 22 upvotes, $500
215. STAFF member with NO Explicit permissions can view ActivityFeed via GraphQL to Shopify - 22 upvotes, $500
216. Bypass GraphQL rate limit by abusing negative cost queries to Shopify - 22 upvotes, $0
217. H1514 CSRF in Domain transfer allows adding your domain to other user's account to Shopify - 22 upvotes, $0
218. Ability to potentially hit internal NGINX locations on *.myshopify.com by making use of the X-Accel-Redirect header via a configured App Proxy to Shopify - 22 upvotes, $0
219. Ability to publish a paid theme without purchasing it. to Shopify - 21 upvotes, $2000
220. [h1-2102] HTML injection in packing slips can lead to physical theft to Shopify - 21 upvotes, $900
221. XSS on manually entering Postal codes to Shopify - 21 upvotes, $500
222. H1514 Stored XSS on Wholesale sales channel allows cross-organization data leakage to Shopify - 21 upvotes, $0
223. H1514 Stored XSS in Return Magic App portal content to Shopify - 21 upvotes, $0
224. XSS / SELF XSS to Shopify - 21 upvotes, $0
225. staffOrderNotificationSubscriptionCreate Is Not Blocked Entirely From Staff Member With Settings Permission to Shopify - 21 upvotes, $0
226. staffOrderNotificationSubscriptionDelete Could Be Used By Staff Member With Settings Permission to Shopify - 21 upvotes, $0
227. Unauthorized access to Zookeeper on http://locutus-zk3.ec2.shopify.com:2181 to Shopify - 20 upvotes, $1000
228. HTTP-Response-Splitting on v.shopify.com to Shopify - 20 upvotes, $500
229. Inject page in admin panel via Shopify.API.pushState [New Payload] to Shopify - 20 upvotes, $500
230. Bypassing HTML filter in "Packing Slip Template" Lead to SSRF to Internal Kubernetes Endpoints to Shopify - 20 upvotes, $0
231. Unpublished Product Images can be disclosed to Shopify - 19 upvotes, $500
232. Information disclosure ( Google Sales Channel ) to Shopify - 19 upvotes, $500
233. https://windsor.shopify.com/ takeover to Shopify - 19 upvotes, $0
234. Open redirect allows changing iframe content in *.myshopify.com/admin/themes/<id>/editor to Shopify - 19 upvotes, $0
235. Read access to hidden orders,products,customers etc. by limited access Staff member through reference page in Comments (Information disclosure ) to Shopify - 19 upvotes, $0
236. Password reset link not expired at Stocky App to Shopify - 19 upvotes, $0
237. Staff Member can Get POS Access Without User Interaction to Shopify - 19 upvotes, $0
238. Domain Takeover at 3hopify.media to Shopify - 19 upvotes, $0
239. Disconnecting an external login provider does not revoke session to Shopify - 18 upvotes, $1600
240. Improper access check by Kit leads to controlling attributes of store & getting analytics by deleted Store member via dual messenger A/C to Shopify - 18 upvotes, $500
241. Ability to add address without being an admin or staff in the store via wholesale store to Shopify - 18 upvotes, $500
242. Twitter Disconnect CSRF to Shopify - 18 upvotes, $0
243. Publicly Accessible Datadog link to Shopify - 18 upvotes, $0
244. Store Deletion or Sell without authentication to Shopify - 18 upvotes, $0
245. [h1-2102] Information disclosure - ShopifyPlus add user displays existing Shopify ID fullname to Shopify - 18 upvotes, $0
246. Attacker is able to query Github repositories of arbitrary Shopify Hydrogen Users to Shopify - 17 upvotes, $900
247. Staff with no permissions could possibly list and accept billing promotions to Shopify - 17 upvotes, $600
248. Open CouchDB on experiments.ec2.shopify.com:5984 to Shopify - 17 upvotes, $0
249. Open redirect using checkout_url to Shopify - 17 upvotes, $0
250. Access to Private Photos of Apps in App section(IDOR) to Shopify - 17 upvotes, $0
251. HTML injection in https://interviewing.shopify.com/index.php?candidate= to Shopify - 17 upvotes, $0
252. Clickjacking in [exchangemarketplace.com] to Shopify - 17 upvotes, $0
253. Open Redirect - www.shopify.com to Shopify - 17 upvotes, $0
254. Open Redirect on Login Page of Stocky App to Shopify - 17 upvotes, $0
255. [https://shipit-sox-staging.shopifycloud.com] Presence of multiple vulnerabilities present in Ruby On Rails to Shopify - 17 upvotes, $0
256. stored xss in invited team member via email parameter to Shopify - 16 upvotes, $500
257. Order notifications being sent for a deactivated staff account to Shopify - 16 upvotes, $500
258. PII disclosure -- Past team members & their email ID(personal email) can be viewed by Staff member with no permissions on Partner Dashboard to Shopify - 16 upvotes, $500
259. Theme editor oseid parameter is leaked to third-party services through the Referer header which leads to somekind of storefront password bypass. to Shopify - 16 upvotes, $500
260. race condition in adding team members to Shopify - 16 upvotes, $0
261. Cross Site Scripting at https://app.oberlo.com/ to Shopify - 16 upvotes, $0
262. DOM XSS via Shopify.API.remoteRedirect to Shopify - 16 upvotes, $0
263. Self XSS in Timeline to Shopify - 16 upvotes, $0
264. [h1-2102] Partner's team member with no permission can retrieve services financial data to Shopify - 16 upvotes, $0
265. Improper Input Validation on https://oberlo-image-proxy.shopifycloud.com/ to Shopify - 16 upvotes, $0
266. Github base action takeover which is used in github.com/Shopify/unity-buy-sdk to Shopify - 16 upvotes, $0
267. Self XSS in https://linkpop.com/dashboard/admin to Shopify - 16 upvotes, $0
268. Add signature to transactions without any permission to Shopify - 15 upvotes, $500
269. Disclose STUFF member name and make actions. to Shopify - 15 upvotes, $500
270. XSS on postal codes to Shopify - 15 upvotes, $0
271. User with no Develop apps permission can Uninstall Custom App to Shopify - 15 upvotes, $0
272. [h1-2102] [PLUS] User with Store Management Permission can Make enforceSamlOrganizationDomains call - that should be limited to User Management Only to Shopify - 15 upvotes, $0
273. After changing the storefront password, the preview link is still valid to Shopify - 15 upvotes, $0
274. Read/Write arbitrary (non-HttpOnly) cookies on checkout pages via GoogleAnalyticsAdditionalScripts postMessage handler to Shopify - 14 upvotes, $1600
275. H1514 Get access to non public information by pivoting with graphql queries to Shopify - 14 upvotes, $1500
276. Reflective XSS on wholesale.shopify.com to Shopify - 14 upvotes, $500
277. Access to Splunk at https://apt.ec2.shopify.com:8089 to Shopify - 14 upvotes, $500
278. Staff member with no permission can delete POS staff from account settings to Shopify - 14 upvotes, $500
279. your-store.myshopify.com preview link is leak on third party website lead to preview all action from store owner Without store Password. to Shopify - 14 upvotes, $500
280. SVG parser loads external resources on image upload to Shopify - 14 upvotes, $0
281. Unauthenticated Stored XSS on <any>.myshopify.com via checkout page to Shopify - 14 upvotes, $0
282. Stored XSS in partners dashboard to Shopify - 14 upvotes, $0
283. Screenshot Service leaks X-ABS-App-Token to Shopify - 14 upvotes, $0
284. Subdomain Takeover at course.oberlo.com to Shopify - 14 upvotes, $0
285. Open redirection in OAuth to Shopify - 13 upvotes, $500
286. [apps.shopify.com] Open Redirect to Shopify - 13 upvotes, $500
287. Stored XSS at 'Buy Button' page to Shopify - 13 upvotes, $500
288. Subdomain takeover on s3.shopify.com to Shopify - 13 upvotes, $500
289. From full-access account to Account Owner to Shopify - 13 upvotes, $500
290. Stored XSS in *.myshopify.com to Shopify - 13 upvotes, $0
291. SQL Exception thrown during product import to Shopify - 13 upvotes, $0
292. Add store to new partner account without confirming email address. to Shopify - 13 upvotes, $0
293. Improper deep link validation to Shopify - 13 upvotes, $0
294. shopifyapps.com XSS on sales channels via currency formatting to Shopify - 12 upvotes, $1000
295. S3 Buckets open to the world thanks to 'Authenticated Users' ACL to Shopify - 12 upvotes, $1000
296. Orders full read for a staff with only Customers permissions. to Shopify - 12 upvotes, $800
297. H1514 Lack of access control on edit packing slip template to Shopify - 12 upvotes, $500
298. Shopify's SF and LA offices Dashboard Information disclosed via Public Gist to Shopify - 12 upvotes, $500
299. (BYPASS) Open Redirect after login at http://ecommerce.shopify.com to Shopify - 12 upvotes, $0
300. Access to Splunk via shard3-db2.ec2.shopify.com endpoint to Shopify - 12 upvotes, $0
301. Unsanitized Location Name in POS Channel can lead to XSS in Orders Timeline to Shopify - 12 upvotes, $0
302. XSS in SHOPIFY: Unsanitized Supplier Name can lead to XSS in Transfers Timeline to Shopify - 12 upvotes, $0
303. Open Redirect in www.shopify.dev Environment to Shopify - 12 upvotes, $0
304. [h1-2102] [Yaworski's Broskis] Suspected overcharge and chargebacks in PoS to Shopify - 12 upvotes, $0
305. IDOR on stocky application-Low Stock-Varient-Settings-Columns to Shopify - 11 upvotes, $750
306. password less login token expiration issue to Shopify - 11 upvotes, $500
307. amazon aws s3 bucket content is public :- http://shopify.com.s3.amazonaws.com/ to Shopify - 11 upvotes, $0
308. [CSRF] Install premium themes to Shopify - 11 upvotes, $0
309. Authentication Bypass on monitoring server to Shopify - 11 upvotes, $0
310. Open redirection in OAuth to Shopify - 11 upvotes, $0
311. H1514 Shopify API ruby SDK session setup lacks input validation, resulting in SSRF and leakage of client secret to Shopify - 11 upvotes, $0
312. Password protection can be removed for newly created development store to Shopify - 11 upvotes, $0
313. The POS app doesn't revoke the Xauth token to Shopify - 11 upvotes, $0
314. [h1-2102] [Plus] User with Store Management Permission can Make convertUsersFromSaml/convertUsersToSaml - that should be limited to User Management to Shopify - 11 upvotes, $0
315. Reflected XSS in cart at hardware.shopify.com to Shopify - 10 upvotes, $0
316. H1514 Wholesale customer without checkout permission can complete purchases to Shopify - 10 upvotes, $0
317. Privilege Escalation in Point Of Sale Application from POS Manage Staff Role to potentially Store Owner to Shopify - 10 upvotes, $0
318. XSS stored in the Shopify Email app to Shopify - 10 upvotes, $0
319. Password reset token leak via "Host header" on third party website to Shopify - 10 upvotes, $0
320. Missing of csrf protection to Shopify - 9 upvotes, $500
321. An administrator without any permission is able to get order notifications using his APNS Token. to Shopify - 9 upvotes, $500
322. SSL cookie without secure flag set to Shopify - 9 upvotes, $0
323. SSRF via 'Add Image from URL' feature to Shopify - 9 upvotes, $0
324. Delete/modify your own comment after limited access(IDOR) to Shopify - 9 upvotes, $0
325. [ecommerce.shopify.com] Invalidated redirection to Shopify - 9 upvotes, $0
326. ShopifyAPI is vulnerable to timing attacks. to Shopify - 9 upvotes, $0
327. API Webhooks Fire And Are Unlisted After Permissions Removed to Shopify - 9 upvotes, $0
328. Potential SSRF and disclosure of sensitive site on *shopifycloud.com to Shopify - 9 upvotes, $0
329. Subdomain Takeover of multiple *.ttcdn.co domains to Shopify - 9 upvotes, $0
330. A staff without export customers permissions can still export customers CSV file to Shopify - 9 upvotes, $0
331. H1514 Ability to Edit Packaging Slip Templates and View Product & Shipping Information by a low privileged staff in a Sandbox Store to Shopify - 8 upvotes, $500
332. [h1-2102] Break permissions waterfall to Shopify - 8 upvotes, $500
333. Same the Url to Shopify - 8 upvotes, $500
334. Content Spoofing to Shopify - 8 upvotes, $0
335. Shopify android client all API request's response leakage, including access_token, cookie, response header, response body content to Shopify - 8 upvotes, $0
336. (FULL PATH DISCLOSURE) Unknown MySQL server host 'shardm-reader.chi2.shopify.io' to Shopify - 8 upvotes, $0
337. [out-of-scope] toxiproxy: Lack of CSRF protection allows an attacker to gain access to internal Shopify network to Shopify - 8 upvotes, $0
338. Stocky App Administrator can create a backdoor admin account by using an existing POS User to Shopify - 8 upvotes, $0
339. damage to the timeline so that comment fields cannot be displayed or not available to all members in the store to Shopify - 8 upvotes, $0
340. Partner's non-verified business email change reflected into Shopify Collaborator Request to Shopify - 8 upvotes, $0
341. Customer's full name disclosure via Shopify Chat (by email lookup) to Shopify - 8 upvotes, $0
342. Order lookup features of Shopify Chat Application leads to customer orders enumeration due to lack of user input validation to Shopify - 8 upvotes, $0
343. The authentication code when activating 2FA can be used again to log in to Shopify - 8 upvotes, $0
344. [h1-2102] Stored XSS in product description via productUpdate GraphQL query leads to XSS at handshake-web-internal.shopifycloud.com/products/[ID] to Shopify - 7 upvotes, $1600
345. Privilege Escalation - A MEMBER with no ACCESS to ORDERS can still access the orders by using Order Printer APP to Shopify - 7 upvotes, $1000
346. Authentication Failed Mobile version to Shopify - 7 upvotes, $500
347. Staff members with no permission can access to the files, uploaded by the administrator to Shopify - 7 upvotes, $500
348. Bypass For #997350 your-store.myshopify.com preview link is leak on third party website Via Online Store to Shopify - 7 upvotes, $500
349. store internal email disclosed through shopify-data-exporter to Shopify - 7 upvotes, $500
350. Missing spf flags for myshopify.com to Shopify - 7 upvotes, $0
351. Force 500 Internal Server Error on any shop (for one user) to Shopify - 7 upvotes, $0
352. XSS in Draft Orders in Timeline i SHOPIFY Admin Site! to Shopify - 7 upvotes, $0
353. Staff member can delete Private Apps to Shopify - 7 upvotes, $0
354. View all deleted comments and rating of any app . to Shopify - 7 upvotes, $0
355. Payment gateway status transferred to Shopify without authentication to Shopify - 7 upvotes, $0
356. Deleted Post and Administrative Function Access in eCommerce Forum to Shopify - 7 upvotes, $0
357. Stored passive XSS at scheduled posts (kitcrm.com) to Shopify - 7 upvotes, $0
358. Redirect in adding advance cash on delivery app to Shopify - 7 upvotes, $0
359. Open Redirect in shopify app URL to Shopify - 7 upvotes, $0
360. access permission is not revoked even if the email has been deleted or changed on the partner account -partners.shopify- to Shopify - 7 upvotes, $0
361. Admin web sessions remain active after logout of Shopify ID to Shopify - 7 upvotes, $0
362. Unauthorized access to all collections, products, pages from other stores to Shopify - 6 upvotes, $2500
363. 'Limited' RCE in certain places where Liquid is accepted to Shopify - 6 upvotes, $1500
364. STAFF "No-Permissions" on the Store can retrieve the details Order via exchangeReceiptSend to Shopify - 6 upvotes, $1000
365. Open Redirect after login at http://ecommerce.shopify.com to Shopify - 6 upvotes, $500
366. File name and folder enumeration. to Shopify - 6 upvotes, $500
367. Bypassed password authentication before enabling OTP verification to Shopify - 6 upvotes, $500
368. XSS in experts.shopify.com to Shopify - 6 upvotes, $0
369. TCP Source Port Pass Firewall to Shopify - 6 upvotes, $0
370. Privilege escalation and circumvention of permission to limited access user to Shopify - 6 upvotes, $0
371. Open Redirect possible in https://www.shopify.com/admin/ to Shopify - 6 upvotes, $0
372. Arbitrary write on s3://shopify-delivery-app-storage/files to Shopify - 5 upvotes, $2000
373. Shop admin can change external login services to Shopify - 5 upvotes, $1000
374. create staff member without owner access to Shopify - 5 upvotes, $1000
375. Stored XSS in the Shopify Discussion Forums to Shopify - 5 upvotes, $500
376. [www.*.myshopify.com] CRLF Injection to Shopify - 5 upvotes, $500
377. get users information without full access to Shopify - 5 upvotes, $500
378. An administrator without the 'Settings' permission is able to see payment gateways to Shopify - 5 upvotes, $500
379. XSS in my.shopify.com in widget to Shopify - 5 upvotes, $500
380. SSRF via 'Insert Image' feature of Products/Collections/Frontpage to Shopify - 5 upvotes, $0
381. Paid account can review\download any invoice of any other shop to Shopify - 5 upvotes, $0
382. Staff members with no permission to access domains can access them. to Shopify - 5 upvotes, $0
383. [livechat.shopify.com] Cookie bomb at customer chats to Shopify - 5 upvotes, $0
384. Attach Pinterest account - no State/CSRF parameter in Oauth Call back to Shopify - 5 upvotes, $0
385. XSS on hardware.shopify.com to Shopify - 5 upvotes, $0
386. Full access at an internal service of Shopify to Shopify - 5 upvotes, $0
387. increased privileges on staff account to Shopify - 5 upvotes, $0
388. Subdomain takeover in help.tictail.com pointing to Zendesk (a Shopify acquisition) to Shopify - 5 upvotes, $0
389. *.shopify.com - Authentication bypass to Shopify - 5 upvotes, $0
390. xss on polaris.shopify.com/demo using postMessage to Shopify - 5 upvotes, $0
391. unauthorized access to all customers first and last name to Shopify - 4 upvotes, $2500
392. change Login Services settings without owner access to Shopify - 4 upvotes, $1000
393. CSRF token fixation in facebook store app that can lead to adding attacker to victim acc to Shopify - 4 upvotes, $500
394. customers password hash leak!!!! to Shopify - 4 upvotes, $500
395. Some S3 Buckets are world readable (and one is world writeable) to Shopify - 4 upvotes, $500
396. Missing authorization check on dashboard overviews to Shopify - 4 upvotes, $500
397. Strored Cross Site Scripting to Shopify - 4 upvotes, $500
398. comment out causes information disclosure to Shopify - 4 upvotes, $0
399. Xss in website's link to Shopify - 4 upvotes, $0
400. XSS - URL Redirects to Shopify - 4 upvotes, $0
401. XSS in myshopify.com Admin site in TAX Overrides to Shopify - 4 upvotes, $0
402. Header Misconfiguration - PHP API to Shopify - 4 upvotes, $0
403. [persistent cross-site scripting] customers can target admins to Shopify - 4 upvotes, $0
404. Notification request disclose private information about other myshopify accounts to Shopify - 4 upvotes, $0
405. Prevent Shop Admin From Seeing his Installed Apps / Install Persistent Unremovable App to Shopify - 4 upvotes, $0
406. Domain takoever - https://sellocdn.com to Shopify - 4 upvotes, $0
407. Unauthorized access to any Store Admin's First & Last name to Shopify - 4 upvotes, $0
408. deleted staff member can add his amazon marketplace web services account to the store. to Shopify - 4 upvotes, $0
409. CSV Excel Macro Injection Vulnerability in export list of current users - app.shopify.com to Shopify - 4 upvotes, $0
410. [CSRF] Activate PayPal Express Checkout to Shopify - 4 upvotes, $0
411. Non-owner user can remove online store channel and re-add it. to Shopify - 4 upvotes, $0
412. Full access to Amazon S3 bucket containing AWS CloudTrail logs to Shopify - 4 upvotes, $0
413. Some store settings/data are accessible to "No Access" permission users on GraphQL LiveView operation to Shopify - 4 upvotes, $0
414. Arbitrary read on s3://shopify-delivery-app-storage/files to Shopify - 3 upvotes, $1500
415. Bypass access restrictions from API to Shopify - 3 upvotes, $1000
416. XSS at importing Product List to Shopify - 3 upvotes, $500
417. XSS at Bulk editing products to Shopify - 3 upvotes, $500
418. Accessing Payments page and adding payment methods with limited access accounts to Shopify - 3 upvotes, $500
419. List of devices is accessible regardless of the account limitations to Shopify - 3 upvotes, $500
420. A 'Full access' administrator is able to see the shop owners user details to Shopify - 3 upvotes, $500
421. Apps can access 'channels' beta api to Shopify - 3 upvotes, $500
422. "Remember me" token generated when "Remember me" box unchecked to Shopify - 3 upvotes, $500
423. CSRF on https://shopify.com/plus to Shopify - 3 upvotes, $500
424. Lack of SSL Pinning on POS Application ( iOS ) to Shopify - 3 upvotes, $0
425. Multiple issues on Checkout Process to Shopify - 3 upvotes, $0
426. XSS on support.shopify.com to Shopify - 3 upvotes, $0
427. Expire User Sessions in Admin Site does not expire user session in Shopify Application in IOS to Shopify - 3 upvotes, $0
428. Reflected XSS in chat. to Shopify - 3 upvotes, $0
429. Invitation issue to Shopify - 3 upvotes, $0
430. Passwords Returned in Later Responses. to Shopify - 3 upvotes, $0
431. The POS Firmware is leaking the root Password which can be used for unauthorized access to the device. to Shopify - 3 upvotes, $0
432. Privilege escalation vulnerability to Shopify - 3 upvotes, $0
433. Unauthenticated access to details of hidden products in any shop via title emuneration to Shopify - 3 upvotes, $0
434. Bypassing password requirement during deletion of accout to Shopify - 3 upvotes, $0
435. First & Last Name Disclosure of any Shopify Store Admin to Shopify - 3 upvotes, $0
436. XSS in creating tweets to Shopify - 3 upvotes, $0
437. Get analytics token using only apps permission to Shopify - 3 upvotes, $0
438. unauthorized access to all collections name to Shopify - 2 upvotes, $2000
439. OrderListInitial leaks order details to Shopify - 2 upvotes, $1500
440. XSS at Bulk editing ProductVariants to Shopify - 2 upvotes, $500
441. XSS https://www.shopify.com/signup to Shopify - 2 upvotes, $500
442. www.shopify.com XSS on blog pages via sharing buttons to Shopify - 2 upvotes, $500
443. Stored XSS in https://checkout.shopify.com/ to Shopify - 2 upvotes, $500
444. XSS on https://app.shopify.com/ to Shopify - 2 upvotes, $500
445. XSS in Myshopify Admin Site in DISCOUNTS to Shopify - 2 upvotes, $0
446. Bulk Discount App in myshopify.com exposes http://bulkdiscounts.shopifyapps.com vulnerable to XSS to Shopify - 2 upvotes, $0
447. Reflected XSS in chat to Shopify - 2 upvotes, $0
448. XSS https://delivery.shopifyapps.com/ (Digital Downloads App in myshopify.com) to Shopify - 2 upvotes, $0
449. XSS on ecommerce.shopify.com to Shopify - 2 upvotes, $0
450. Body injection in mailto link while commenting shop blog to Shopify - 2 upvotes, $0
451. Cookie securing your "Opening soon" store is not secured against XSS to Shopify - 2 upvotes, $0
452. CSRF in Connecting Pinterest Account to Shopify - 2 upvotes, $0
453. Stored XSS in /admin/orders to Shopify - 2 upvotes, $0
454. Injection via CSV Export feature in Admin Orders to Shopify - 2 upvotes, $0
455. staff memeber can install apps even if have limitied access to Shopify - 2 upvotes, $0
456. Redirect url after login is not validated to Shopify - 2 upvotes, $0
457. Setting Arbitrary Cookie at kitcrm.com to Shopify - 2 upvotes, $0
458. www.shopify.com XSS via third-party script to Shopify - 1 upvotes, $500
459. many xss in widgets.shopifyapps.com to Shopify - 1 upvotes, $500
460. XSS on hardware.shopify.com to Shopify - 1 upvotes, $500
461. xss in the all widgets of shopifyapps.com to Shopify - 1 upvotes, $500
462. Stored XSS via "Free Shipping" option (Discounts) to Shopify - 1 upvotes, $500