Skip to content

Latest commit

 

History

History
292 lines (288 loc) · 36.8 KB

TOPSHOPIFY.md

File metadata and controls

292 lines (288 loc) · 36.8 KB

Back

Top reports from Shopify program at HackerOne:

  1. [Part II] Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation to Shopify - 780 upvotes, $15000
  2. H1514 Remote Code Execution on kitcrm using bulk customer update of Priority Products to Shopify - 711 upvotes, $15000
  3. Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation to Any Shop Owner by Taking Advantage of the Shopify SSO to Shopify - 654 upvotes, $15000
  4. Shopify Stocky App OAuth Misconfiguration to Shopify - 501 upvotes, $5000
  5. SSRF in Exchange leads to ROOT access in all instances to Shopify - 455 upvotes, $25000
  6. H1514 Server Side Template Injection in Return Magic email templates? to Shopify - 377 upvotes, $10000
  7. H1514 Ability to MiTM Shopify PoS Session to Takeover Communications to Shopify - 348 upvotes, $13337
  8. XSS while logging using Google to Shopify - 315 upvotes, $1750
  9. Shopify admin authentication bypass using partners.shopify.com to Shopify - 284 upvotes, $20000
  10. Able to Takeover Merchants Accounts Even They Have Already Setup SSO, After Bypassing the Email Confirmation to Shopify - 267 upvotes, $7500
  11. CSRF on connecting Paypal as Payment Provider to Shopify - 267 upvotes, $500
  12. Ability to bypass partner email confirmation to take over any store given an employee email to Shopify - 205 upvotes, $15250
  13. H1514 DOMXSS on Embedded SDK via Shopify.API.setWindowLocation abusing cookie Stuffing to Shopify - 177 upvotes, $5000
  14. H1514 [*.(my)shopify.com] - Viewing Password Protected Content to Shopify - 177 upvotes, $3000
  15. Session works after logout from Shopify account and password of online store is displayed to Shopify - 153 upvotes, $500
  16. H1514 Session Fixation on multiple shopify-built apps on *.shopifycloud.com and *.shopifyapps.com to Shopify - 131 upvotes, $5000
  17. Stored XSS in private message to Shopify - 115 upvotes, $1000
  18. Disclose Any Store products, Files, Purchase Orders Via Email through Shopify Stocky APP to Shopify - 111 upvotes, $2000
  19. XSS on any Shopify shop via abuse of the HTML5 structured clone algorithm in postMessage listener on "/:id/digital_wallets/dialog" to Shopify - 101 upvotes, $3000
  20. Access to Employee calendar disclosing internal presentation and meetings to Shopify - 98 upvotes, $1000
  21. Stored XSS in Shopify Chat to Shopify - 97 upvotes, $500
  22. Reflected XSS in *.myshopify.com/account/register to Shopify - 93 upvotes, $1500
  23. Reverse Proxy misroute leading to steal X-Shopify-Access-Token header to Shopify - 77 upvotes, $1000
  24. XSS on $shop$.myshopify.com/admin/ and partners.shopify.com via whitelist bypass in SVG icon for sales channel applications to Shopify - 75 upvotes, $5000
  25. Stored XSS in Discounts section to Shopify - 72 upvotes, $1000
  26. ██████ DOM XSS via Shopify.API.remoteRedirect to Shopify - 72 upvotes, $500
  27. xss stored to Shopify - 70 upvotes, $1000
  28. Reflective Cross-site Scripting via Newsletter Form to Shopify - 69 upvotes, $2000
  29. help.shopify.com Cross Site Scripting to Shopify - 67 upvotes, $500
  30. Reflected XSS in <any>.myshopify.com through theme preview to Shopify - 66 upvotes, $2000
  31. Stealing livechat token and using it to chat as the user - user information disclosure to Shopify - 66 upvotes, $1500
  32. Bypass of biometrics security functionality is possible in Android application (com.shopify.mobile) to Shopify - 66 upvotes, $500
  33. POST-based XSS on apps.shopify.com to Shopify - 65 upvotes, $500
  34. Ability to verify any email address you don't own - accounts.shopify.com to Shopify - 63 upvotes, $500
  35. Session works after logout from Shopify account to Shopify - 61 upvotes, $500
  36. Stored XSS through Facebook Page Connection to Shopify - 61 upvotes, $500
  37. Reflected XSS on $Any$.myshopify.com/admin to Shopify - 56 upvotes, $1500
  38. myshopify.com domain takeover to Shopify - 56 upvotes, $1000
  39. Using GraphQL, STAFF with NO explicit permissions on Store can retrieve Shopify Payments Balance. to Shopify - 53 upvotes, $500
  40. Stored XSS on activity to Shopify - 51 upvotes, $2000
  41. H1514 [beerify.shopifycloud.com] GraphQL discloses internal beer consumption to Shopify - 51 upvotes, $802
  42. SSRF in hatchful.shopify.com to Shopify - 47 upvotes, $500
  43. Unauthenticated access to Zendesk tickets through athena-flex-production.shopifycloud.com Okta bypass to Shopify - 46 upvotes, $5000
  44. Unauthenticated read and write access to ALL endpoints of a store is possible for removed staff members who had "Apps" permission to Shopify - 46 upvotes, $1500
  45. Able to Login deactivated staff account in shopify app mobile to Shopify - 45 upvotes, $2000
  46. Shopify GitHub Login and Password exposed all private source code might be available. to Shopify - 45 upvotes, $1500
  47. H1514 Bypass Wholesale account signup restrictions to Shopify - 44 upvotes, $2000
  48. ability to install paid themes for free to Shopify - 44 upvotes, $1000
  49. Subdomain Takeover - https://competition.shopify.com/ to Shopify - 44 upvotes, $750
  50. Stored xss to Shopify - 43 upvotes, $1000
  51. apps.shopify.com - CSRF token leakage through Google Analytics to Shopify - 43 upvotes, $500
  52. Inject page in admin panel via Shopify.API.pushState to Shopify - 43 upvotes, $500
  53. H1514 DOM XSS on checkout.shopify.com via postMessage handler on /:id/sandbox/google_maps to Shopify - 43 upvotes, $500
  54. SVG Server Side Request Forgery (SSRF) to Shopify - 42 upvotes, $500
  55. Reflected XSS to Shopify - 42 upvotes, $0
  56. Authentication Bypass on Icinga monitoring server to Shopify - 39 upvotes, $3000
  57. Disclosure of Github Issues to Shopify - 38 upvotes, $500
  58. Stored XSS in blog comments through Shopify API to Shopify - 37 upvotes, $1000
  59. App messaging can be hijacked by third-party websites to Shopify - 37 upvotes, $1000
  60. H1514 Removed Staff members who had "Apps" permission can still modify flow app connections to Shopify - 36 upvotes, $2000
  61. XSS on services.shopify.com to Shopify - 36 upvotes, $500
  62. Stored XSS on buy button to Shopify - 35 upvotes, $500
  63. Removed staff members who had "Manage shops" permission can still create development stores to Shopify - 35 upvotes, $500
  64. Stored XSS in [shop].myshopify.com/admin/orders/[id] to Shopify - 34 upvotes, $1500
  65. XSS on product comments in transfers to Shopify - 34 upvotes, $500
  66. XSS *.myshopify.com/collections/vendors?q= to Shopify - 33 upvotes, $1500
  67. (BYPASS) Open redirect and XSS in supporthiring.shopify.com to Shopify - 33 upvotes, $1000
  68. Timeline Editor Self-XSS (Previous Fix #738072 Incomplete) to Shopify - 33 upvotes, $500
  69. Tinymce 2.4.0 to Shopify - 32 upvotes, $2000
  70. DOM XSS via Shopify.API.Modal.initialize to Shopify - 32 upvotes, $500
  71. Bypass Filter and get Stored Xss to Shopify - 31 upvotes, $3000
  72. Stored XSS Deleting Menu Links in the Shopify Admin to Shopify - 31 upvotes, $1000
  73. StoreFront API allows for a brute force attack on customer login by not timing out ALL attempts to Shopify - 31 upvotes, $500
  74. Misconfiguration in Two Factor Authorisation to Shopify - 29 upvotes, $1500
  75. XSS in $shop$.myshopify.com/admin/ via twine template injection in "Shopify.API.Modal.input" method when using a malicious app to Shopify - 29 upvotes, $1000
  76. XSS on "widgets.shopifyapps.com" via "stripping" attribute and "shop" parameter to Shopify - 29 upvotes, $1000
  77. Potential to abuse pricing errors in saved carts to Shopify - 29 upvotes, $1000
  78. Fetching external resources through svg images to Shopify - 29 upvotes, $500
  79. Stored XSS in https://productreviews.shopifyapps.com/proxy/v4/reviews/product to Shopify - 29 upvotes, $500
  80. H1514 Deanonymizing Exchange Marketplace private listings to Shopify - 28 upvotes, $1000
  81. Self-XSS in password reset functionality to Shopify - 28 upvotes, $500
  82. Cross-site scripting in "Contact customer" form to Shopify - 28 upvotes, $500
  83. Potentially Sensitive Information on GitHub to Shopify - 27 upvotes, $1500
  84. XSS in $shop$.myshopify.com/admin/ via "Button Objects" in malicious app to Shopify - 27 upvotes, $800
  85. any staff members have the ability to comment in [discounts] he/she can disable comment section it to other staff even the admin of the store to Shopify - 27 upvotes, $0
  86. Open redirect using theme install to Shopify - 25 upvotes, $500
  87. Open redirect in bulk edit to Shopify - 25 upvotes, $500
  88. CSRF in all API endpoints when authenticated using HTTP Authentication to Shopify - 24 upvotes, $1000
  89. Stealing users' facebook access tokens - kitcrm.com to Shopify - 24 upvotes, $500
  90. [Privilege Escalation] Shopify Admin -- Permission from Settings to Customer to Shopify - 24 upvotes, $500
  91. subdomain Takeover at blog.exchangemarketplace.com to Shopify - 24 upvotes, $0
  92. Stored - XSS to Shopify - 24 upvotes, $0
  93. Preview bar: Incomplete message origin validation results in XSS to Shopify - 23 upvotes, $1000
  94. [ux.shopify.com] Subdomain takeover to Shopify - 23 upvotes, $0
  95. Replace other user files in Inbox messages to Shopify - 22 upvotes, $1000
  96. Bypass report #416983 - Removed Staff members who had "Apps" permission can still modify flow app connections to Shopify - 22 upvotes, $1000
  97. Race condition at create new Location to Shopify - 22 upvotes, $500
  98. H1514 Simple phishing using auto-created modal with weak URL-pattern check in incontext_app_link to Shopify - 20 upvotes, $1837
  99. H1514 Stored XSS on Wholesale sales channel allows cross-organization data leakage to Shopify - 20 upvotes, $1000
  100. H1514 Stored XSS in Return Magic App portal content to Shopify - 20 upvotes, $750
  101. XSS on manually entering Postal codes to Shopify - 20 upvotes, $500
  102. None permission staff member can identify installed application and products attached to it to Shopify - 20 upvotes, $500
  103. H1514 Extract information about other sites (new sites) through Affiliate/Referral pages to Shopify - 19 upvotes, $1000
  104. Admin bar: Incomplete message origin validation results in XSS to Shopify - 19 upvotes, $500
  105. Subdomain Takeover in http://genghis-cdn.shopify.io/ pointing to Fastly to Shopify - 19 upvotes, $0
  106. Bypass GraphQL rate limit by abusing negative cost queries to Shopify - 19 upvotes, $0
  107. Attention! Remote Code Execution at http://wpt.ec2.shopify.com/ to Shopify - 18 upvotes, $3000
  108. Read access to hidden orders,products,customers etc. by limited access Staff member through reference page in Comments (Information disclosure ) to Shopify - 17 upvotes, $500
  109. STAFF member with NO Explicit permissions can view ActivityFeed via GraphQL to Shopify - 17 upvotes, $500
  110. Open redirect allows changing iframe content in *.myshopify.com/admin/themes/<id>/editor to Shopify - 16 upvotes, $500
  111. Publicly Accessible Datadog link to Shopify - 16 upvotes, $500
  112. Improper access check by Kit leads to controlling attributes of store & getting analytics by deleted Store member via dual messenger A/C to Shopify - 16 upvotes, $500
  113. H1514 CSRF in Domain transfer allows adding your domain to other user's account to Shopify - 16 upvotes, $500
  114. Open CouchDB on experiments.ec2.shopify.com:5984 to Shopify - 15 upvotes, $500
  115. stored xss in invited team member via email parameter to Shopify - 15 upvotes, $500
  116. Order notifications being sent for a deactivated staff account to Shopify - 15 upvotes, $500
  117. Order Creation Webhooks can be edited/deleted by STAFF with Settings only permission to Shopify - 15 upvotes, $500
  118. Cross Site Scripting at https://app.oberlo.com/ to Shopify - 15 upvotes, $0
  119. Unauthorized access to Zookeeper on http://locutus-zk3.ec2.shopify.com:2181 to Shopify - 14 upvotes, $1000
  120. Open redirect using checkout_url to Shopify - 14 upvotes, $500
  121. XSS on postal codes to Shopify - 14 upvotes, $500
  122. IDOR [partners.shopify.com] - User with ONLY Manage apps permission is able to get shops info and staff names from inside the shop to Shopify - 14 upvotes, $500
  123. DOM XSS via Shopify.API.remoteRedirect to Shopify - 14 upvotes, $500
  124. Clickjacking in [exchangemarketplace.com] to Shopify - 14 upvotes, $0
  125. Access to Splunk at https://apt.ec2.shopify.com:8089 to Shopify - 13 upvotes, $500
  126. Unauthenticated Stored XSS on <any>.myshopify.com via checkout page to Shopify - 13 upvotes, $500
  127. Access to Private Photos of Apps in App section(IDOR) to Shopify - 13 upvotes, $500
  128. Stored XSS in partners dashboard to Shopify - 13 upvotes, $500
  129. PII disclosure -- Past team members & their email ID(personal email) can be viewed by Staff member with no permissions on Partner Dashboard to Shopify - 13 upvotes, $500
  130. Unpublished Product Images can be disclosed to Shopify - 13 upvotes, $500
  131. HTML injection in https://interviewing.shopify.com/index.php?candidate= to Shopify - 13 upvotes, $0
  132. race condition in adding team members to Shopify - 12 upvotes, $500
  133. XSS in SHOPIFY: Unsanitized Supplier Name can lead to XSS in Transfers Timeline to Shopify - 11 upvotes, $500
  134. Add signature to transactions without any permission to Shopify - 11 upvotes, $500
  135. Stored XSS at 'Buy Button' page to Shopify - 11 upvotes, $500
  136. Stored XSS in *.myshopify.com to Shopify - 11 upvotes, $500
  137. From full-access account to Account Owner to Shopify - 11 upvotes, $500
  138. Add store to new partner account without confirming email address. to Shopify - 11 upvotes, $0
  139. Open Redirect at *.myshopify.com/account/login?checkout_url= to Shopify - 10 upvotes, $500
  140. Twitter Disconnect CSRF to Shopify - 10 upvotes, $500
  141. https://windsor.shopify.com/ takeover to Shopify - 10 upvotes, $500
  142. [CSRF] Install premium themes to Shopify - 10 upvotes, $500
  143. (BYPASS) Open Redirect after login at http://ecommerce.shopify.com to Shopify - 10 upvotes, $500
  144. Unsanitized Location Name in POS Channel can lead to XSS in Orders Timeline to Shopify - 10 upvotes, $500
  145. [apps.shopify.com] Open Redirect to Shopify - 10 upvotes, $500
  146. Subdomain takeover on s3.shopify.com to Shopify - 10 upvotes, $500
  147. H1514 Lack of access control on edit packing slip template to Shopify - 10 upvotes, $500
  148. Shopify's SF and LA offices Dashboard Information disclosed via Public Gist to Shopify - 10 upvotes, $500
  149. SQL Exception thrown during product import to Shopify - 10 upvotes, $0
  150. H1514 Shopify API ruby SDK session setup lacks input validation, resulting in SSRF and leakage of client secret to Shopify - 10 upvotes, $0
  151. Access to Splunk via shard3-db2.ec2.shopify.com endpoint to Shopify - 9 upvotes, $500
  152. H1514 Get access to non public information by pivoting with graphql queries to Shopify - 8 upvotes, $1500
  153. IDOR expire other user sessions to Shopify - 8 upvotes, $1000
  154. [ecommerce.shopify.com] Invalidated redirection to Shopify - 8 upvotes, $500
  155. Authentication Bypass on monitoring server to Shopify - 8 upvotes, $500
  156. ShopifyAPI is vulnerable to timing attacks. to Shopify - 8 upvotes, $0
  157. Open redirection in OAuth to Shopify - 8 upvotes, $0
  158. HTTP-Response-Splitting on v.shopify.com to Shopify - 7 upvotes, $500
  159. SVG parser loads external resources on image upload to Shopify - 7 upvotes, $500
  160. Delete/modify your own comment after limited access(IDOR) to Shopify - 7 upvotes, $500
  161. H1514 Wholesale customer without checkout permission can complete purchases to Shopify - 7 upvotes, $500
  162. API Webhooks Fire And Are Unlisted After Permissions Removed to Shopify - 7 upvotes, $0
  163. amazon aws s3 bucket content is public :- http://shopify.com.s3.amazonaws.com/ to Shopify - 6 upvotes, $500
  164. Missing of csrf protection to Shopify - 6 upvotes, $500
  165. XSS in Draft Orders in Timeline i SHOPIFY Admin Site! to Shopify - 6 upvotes, $500
  166. Staff member can delete Private Apps to Shopify - 6 upvotes, $500
  167. View all deleted comments and rating of any app . to Shopify - 6 upvotes, $500
  168. (FULL PATH DISCLOSURE) Unknown MySQL server host 'shardm-reader.chi2.shopify.io' to Shopify - 6 upvotes, $500
  169. password less login token expiration issue to Shopify - 6 upvotes, $500
  170. Stored passive XSS at scheduled posts (kitcrm.com) to Shopify - 6 upvotes, $500
  171. H1514 Ability to Edit Packaging Slip Templates and View Product & Shipping Information by a low privileged staff in a Sandbox Store to Shopify - 6 upvotes, $500
  172. Open Redirect in shopify app URL to Shopify - 6 upvotes, $0
  173. [out-of-scope] toxiproxy: Lack of CSRF protection allows an attacker to gain access to internal Shopify network to Shopify - 6 upvotes, $0
  174. Potential SSRF and disclosure of sensitive site on *shopifycloud.com to Shopify - 6 upvotes, $0
  175. Open Redirect possible in https://www.shopify.com/admin/ to Shopify - 5 upvotes, $500
  176. Deleted Post and Administrative Function Access in eCommerce Forum to Shopify - 5 upvotes, $500
  177. Redirect in adding advance cash on delivery app to Shopify - 5 upvotes, $0
  178. Shopify android client all API request's response leakage, including access_token, cookie, response header, response body content to Shopify - 4 upvotes, $2000
  179. shopifyapps.com XSS on sales channels via currency formatting to Shopify - 4 upvotes, $1000
  180. Privilege Escalation - A MEMBER with no ACCESS to ORDERS can still access the orders by using Order Printer APP to Shopify - 4 upvotes, $1000
  181. Missing spf flags for myshopify.com to Shopify - 4 upvotes, $500
  182. Content Spoofing to Shopify - 4 upvotes, $500
  183. Force 500 Internal Server Error on any shop (for one user) to Shopify - 4 upvotes, $500
  184. Open redirection in OAuth to Shopify - 4 upvotes, $500
  185. Reflected XSS in cart at hardware.shopify.com to Shopify - 4 upvotes, $500
  186. XSS on hardware.shopify.com to Shopify - 4 upvotes, $500
  187. Staff members with no permission can access to the files, uploaded by the administrator to Shopify - 4 upvotes, $500
  188. Payment gateway status transferred to Shopify without authentication to Shopify - 4 upvotes, $500
  189. Full access at an internal service of Shopify to Shopify - 4 upvotes, $500
  190. Paid account can review\download any invoice of any other shop to Shopify - 3 upvotes, $4000
  191. S3 Buckets open to the world thanks to 'Authenticated Users' ACL to Shopify - 3 upvotes, $1000
  192. Stored XSS in the Shopify Discussion Forums to Shopify - 3 upvotes, $500
  193. [www.*.myshopify.com] CRLF Injection to Shopify - 3 upvotes, $500
  194. An administrator without any permission is able to get order notifications using his APNS Token. to Shopify - 3 upvotes, $500
  195. Strored Cross Site Scripting to Shopify - 3 upvotes, $500
  196. XSS in my.shopify.com in widget to Shopify - 3 upvotes, $500
  197. Notification request disclose private information about other myshopify accounts to Shopify - 2 upvotes, $4000
  198. Unauthorized access to all collections, products, pages from other stores to Shopify - 2 upvotes, $2500
  199. Arbitrary write on s3://shopify-delivery-app-storage/files to Shopify - 2 upvotes, $2000
  200. 'Limited' RCE in certain places where Liquid is accepted to Shopify - 2 upvotes, $1500
  201. TCP Source Port Pass Firewall to Shopify - 2 upvotes, $1000
  202. Shop admin can change external login services to Shopify - 2 upvotes, $1000
  203. create staff member without owner access to Shopify - 2 upvotes, $1000
  204. XSS at importing Product List to Shopify - 2 upvotes, $500
  205. SSL cookie without secure flag set to Shopify - 2 upvotes, $500
  206. SSRF via 'Insert Image' feature of Products/Collections/Frontpage to Shopify - 2 upvotes, $500
  207. Some S3 Buckets are world readable (and one is world writeable) to Shopify - 2 upvotes, $500
  208. Missing authorization check on dashboard overviews to Shopify - 2 upvotes, $500
  209. Accessing Payments page and adding payment methods with limited access accounts to Shopify - 2 upvotes, $500
  210. Privilege escalation and circumvention of permission to limited access user to Shopify - 2 upvotes, $500
  211. deleted staff member can add his amazon marketplace web services account to the store. to Shopify - 2 upvotes, $500
  212. An administrator without the 'Settings' permission is able to see payment gateways to Shopify - 2 upvotes, $500
  213. Reflective XSS on wholesale.shopify.com to Shopify - 2 upvotes, $500
  214. Full access to Amazon S3 bucket containing AWS CloudTrail logs to Shopify - 2 upvotes, $500
  215. Stored XSS in https://checkout.shopify.com/ to Shopify - 2 upvotes, $500
  216. XSS on https://app.shopify.com/ to Shopify - 2 upvotes, $500
  217. staff memeber can install apps even if have limitied access to Shopify - 2 upvotes, $500
  218. Passwords Returned in Later Responses. to Shopify - 2 upvotes, $0
  219. [livechat.shopify.com] Cookie bomb at customer chats to Shopify - 2 upvotes, $0
  220. Setting Arbitrary Cookie at kitcrm.com to Shopify - 2 upvotes, $0
  221. unauthorized access to all collections name to Shopify - 1 upvotes, $2000
  222. Arbitrary read on s3://shopify-delivery-app-storage/files to Shopify - 1 upvotes, $1500
  223. [persistent cross-site scripting] customers can target admins to Shopify - 1 upvotes, $1000
  224. change Login Services settings without owner access to Shopify - 1 upvotes, $1000
  225. Unauthenticated access to details of hidden products in any shop via title emuneration to Shopify - 1 upvotes, $1000
  226. Xss in website's link to Shopify - 1 upvotes, $500
  227. XSS in experts.shopify.com to Shopify - 1 upvotes, $500
  228. Authentication Failed Mobile version to Shopify - 1 upvotes, $500
  229. XSS in myshopify.com Admin site in TAX Overrides to Shopify - 1 upvotes, $500
  230. XSS at Bulk editing products to Shopify - 1 upvotes, $500
  231. XSS at Bulk editing ProductVariants to Shopify - 1 upvotes, $500
  232. SSRF via 'Add Image from URL' feature to Shopify - 1 upvotes, $500
  233. Reflected XSS in chat to Shopify - 1 upvotes, $500
  234. XSS https://delivery.shopifyapps.com/ (Digital Downloads App in myshopify.com) to Shopify - 1 upvotes, $500
  235. Reflected XSS in chat. to Shopify - 1 upvotes, $500
  236. Open Redirect after login at http://ecommerce.shopify.com to Shopify - 1 upvotes, $500
  237. Staff members with no permission to access domains can access them. to Shopify - 1 upvotes, $500
  238. get users information without full access to Shopify - 1 upvotes, $500
  239. Unauthorized access to any Store Admin's First & Last name to Shopify - 1 upvotes, $500
  240. First & Last Name Disclosure of any Shopify Store Admin to Shopify - 1 upvotes, $500
  241. List of devices is accessible regardless of the account limitations to Shopify - 1 upvotes, $500
  242. A 'Full access' administrator is able to see the shop owners user details to Shopify - 1 upvotes, $500
  243. Apps can access 'channels' beta api to Shopify - 1 upvotes, $500
  244. [CSRF] Activate PayPal Express Checkout to Shopify - 1 upvotes, $500
  245. "Remember me" token generated when "Remember me" box unchecked to Shopify - 1 upvotes, $500
  246. Attach Pinterest account - no State/CSRF parameter in Oauth Call back to Shopify - 1 upvotes, $500
  247. CSRF in Connecting Pinterest Account to Shopify - 1 upvotes, $500
  248. Stored XSS in /admin/orders to Shopify - 1 upvotes, $500
  249. CSRF on https://shopify.com/plus to Shopify - 1 upvotes, $500
  250. File name and folder enumeration. to Shopify - 1 upvotes, $500
  251. xss in the all widgets of shopifyapps.com to Shopify - 1 upvotes, $500
  252. Stored XSS via "Free Shipping" option (Discounts) to Shopify - 1 upvotes, $500
  253. Bypassed password authentication before enabling OTP verification to Shopify - 1 upvotes, $500
  254. comment out causes information disclosure to Shopify - 1 upvotes, $0
  255. XSS - URL Redirects to Shopify - 1 upvotes, $0
  256. Lack of SSL Pinning on POS Application ( iOS ) to Shopify - 1 upvotes, $0
  257. Multiple issues on Checkout Process to Shopify - 1 upvotes, $0
  258. XSS on support.shopify.com to Shopify - 1 upvotes, $0
  259. Header Misconfiguration - PHP API to Shopify - 1 upvotes, $0
  260. The POS Firmware is leaking the root Password which can be used for unauthorized access to the device. to Shopify - 1 upvotes, $0
  261. CSV Excel Macro Injection Vulnerability in export list of current users - app.shopify.com to Shopify - 1 upvotes, $0
  262. Non-owner user can remove online store channel and re-add it. to Shopify - 1 upvotes, $0
  263. Redirect url after login is not validated to Shopify - 1 upvotes, $0
  264. unauthorized access to all customers first and last name to Shopify - 0 upvotes, $2500
  265. Bypass access restrictions from API to Shopify - 0 upvotes, $1000
  266. CSRF token fixation in facebook store app that can lead to adding attacker to victim acc to Shopify - 0 upvotes, $500
  267. Expire User Sessions in Admin Site does not expire user session in Shopify Application in IOS to Shopify - 0 upvotes, $500
  268. XSS in Myshopify Admin Site in DISCOUNTS to Shopify - 0 upvotes, $500
  269. Bulk Discount App in myshopify.com exposes http://bulkdiscounts.shopifyapps.com vulnerable to XSS to Shopify - 0 upvotes, $500
  270. XSS https://www.shopify.com/signup to Shopify - 0 upvotes, $500
  271. XSS on ecommerce.shopify.com to Shopify - 0 upvotes, $500
  272. Invitation issue to Shopify - 0 upvotes, $500
  273. customers password hash leak!!!! to Shopify - 0 upvotes, $500
  274. Privilege escalation vulnerability to Shopify - 0 upvotes, $500
  275. www.shopify.com XSS on blog pages via sharing buttons to Shopify - 0 upvotes, $500
  276. Bypassing password requirement during deletion of accout to Shopify - 0 upvotes, $500
  277. XSS in creating tweets to Shopify - 0 upvotes, $500
  278. www.shopify.com XSS via third-party script to Shopify - 0 upvotes, $500
  279. many xss in widgets.shopifyapps.com to Shopify - 0 upvotes, $500
  280. XSS on hardware.shopify.com to Shopify - 0 upvotes, $500
  281. Body injection in mailto link while commenting shop blog to Shopify - 0 upvotes, $0
  282. Prevent Shop Admin From Seeing his Installed Apps / Install Persistent Unremovable App to Shopify - 0 upvotes, $0
  283. Domain takoever - https://sellocdn.com to Shopify - 0 upvotes, $0
  284. Cookie securing your "Opening soon" store is not secured against XSS to Shopify - 0 upvotes, $0
  285. Injection via CSV Export feature in Admin Orders to Shopify - 0 upvotes, $0

Back