Shopify


reports in last 90 days

253

disclosed resolved issues

4

disclosed informative issues

0

disclosed N/A issues

Listed on HackerOne — Updated on 2019/10/15

Bug Title Bug Type Found By Report Info Report Status

Low Clickjacking in [exchangemarketplace.com]

UI Redressing (Clickjacking) eissen5c Time to triage: 0 Days and 5 hours


Time to close: 50 Days and 16 hours
Resolved

Low HTML injection in https://interviewing.shopify.com/index.php?candidate=

Resource Injection pklfpklf Issue was not triaged


Time to close: 0 Days and 16 hours
Resolved

Low Inject page in admin panel via Shopify.API.pushState

Cross-site Scripting (XSS) - DOM tems Time to triage: 3 Days and 20 hours


Time to close: 36 Days and 0 hours
Resolved

No rating XSS while logging using Google

Cross-site Scripting (XSS) - Reflected ashketchum Time to triage: 0 Days and 4 hours


Time to close: 0 Days and 5 hours
Resolved

Low ██████ DOM XSS via Shopify.API.remoteRedirect

Cross-site Scripting (XSS) - DOM wxy7174 Time to triage: 0 Days and 14 hours


Time to close: 9 Days and 0 hours
Resolved

Low Bypass of biometrics security functionality is possible in Android application (com.shopify.mobile)

Improper Authentication - Generic tems Time to triage: 1 Days and 3 hours


Time to close: 22 Days and 2 hours
Resolved

Low [Privilege Escalation] Shopify Admin -- Permission from Settings to Customer

None supplied ngalog Time to triage: 0 Days and 22 hours


Time to close: 77 Days and 16 hours
Resolved

Low any staff members have the ability to comment in [discounts] he/she can disable comment section it to other staff even the admin of the store

Improper Access Control - Generic modam3r5 Time to triage: 3 Days and 0 hours


Time to close: 6 Days and 22 hours
Resolved

Low DOM XSS via Shopify.API.Modal.initialize

Cross-site Scripting (XSS) - DOM tems Time to triage: 0 Days and 13 hours


Time to close: 11 Days and 0 hours
Resolved

Medium Stored XSS in Discounts section

Cross-site Scripting (XSS) - Generic mosuan Time to triage: 0 Days and 4 hours


Time to close: 3 Days and 1 hours
Resolved

No rating Fetching external resources through svg images

Information Disclosure detroitsmash Time to triage: 0 Days and 2 hours


Time to close: 11 Days and 19 hours
Resolved

No rating Stealing users' facebook access tokens - kitcrm.com

Information Disclosure zombiehelp54 Issue was not triaged


Time to close: 2 Days and 0 hours
Resolved

No rating Able to Login deactivated staff account in shopify app mobile

Privilege Escalation clarckowen_ Time to triage: 0 Days and 13 hours


Time to close: 0 Days and 7 hours
Resolved

None Publicly Accessible Datadog link

Information Disclosure rijalrojan Time to triage: 0 Days and 3 hours


Time to close: 8 Days and 16 hours
Resolved

No rating Shopify GitHub Login and Password exposed all private source code might be available.

Information Disclosure todayisnew Time to triage: 0 Days and 5 hours


Time to close: 3 Days and 15 hours
Resolved

Medium H1514 Wholesale customer without checkout permission can complete purchases

Improper Access Control - Generic cablej Time to triage: 4 Days and 16 hours


Time to close: 95 Days and 2 hours
Resolved

Low H1514 Shopify API ruby SDK session setup lacks input validation, resulting in SSRF and leakage of client secret

Improper Input Validation jobert Time to triage: 4 Days and 0 hours


Time to close: 144 Days and 21 hours
Resolved

Low H1514 Ability to Edit Packaging Slip Templates and View Product & Shipping Information by a low privileged staff in a Sandbox Store

Privilege Escalation anshuman_bh Time to triage: 0 Days and 12 hours


Time to close: 191 Days and 5 hours
Resolved

Medium H1514 Simple phishing using auto-created modal with weak URL-pattern check in incontext_app_link

Business Logic Errors fransrosen Time to triage: 2 Days and 14 hours


Time to close: 124 Days and 6 hours
Resolved

Low H1514 Lack of access control on edit packing slip template

Improper Access Control - Generic fisher Time to triage: 10 Days and 21 hours


Time to close: 191 Days and 5 hours
Resolved

Low POST-based XSS on apps.shopify.com

Cross-site Scripting (XSS) - Generic ruvlol Time to triage: 4 Days and 2 hours


Time to close: 0 Days and 3 hours
Resolved

Medium Reverse Proxy misroute leading to steal X-Shopify-Access-Token header

Server-Side Request Forgery (SSRF) ruvlol Time to triage: 4 Days and 4 hours


Time to close: 0 Days and 3 hours
Resolved

Low SSRF in hatchful.shopify.com

Server-Side Request Forgery (SSRF) zhurig Time to triage: 0 Days and 11 hours


Time to close: 119 Days and 2 hours
Resolved

Low Access to Employee calendar disclosing internal presentation and meetings

Improper Access Control - Generic commandersnuggle Time to triage: 0 Days and 19 hours


Time to close: 31 Days and 3 hours
Resolved

Medium Reflected XSS in *.myshopify.com/account/register

Cross-site Scripting (XSS) - Reflected ishahriyar Time to triage: 0 Days and 9 hours


Time to close: 77 Days and 2 hours
Resolved