Discovered by zseano on Shopify

This issue took No information to triage and 0 Days and 21 hours to resolve once triaged.

Hi Shopify,

So I was doing some scanning for another client and saw a ton of * appear and thought to myself "Huh? I thought hosted shops on weird, lets check this out".

An example is this: - as you can see it's a store opening soon, but it's on However when I try my own store: then it will give me the generic, "Did you mean etc etc". Very weird. I tried looking around and playing as much as possible, but I wasn't unable to actually get a url. (If this is actually possible could you let me know how?)

I found these via this BTW: (there's quite a few more).

One that caught my eye was It's set to auto redirect to another domain ( which had actually expired. I purchased it and now when you visit your redirected to a site I control. (yay for owning a sub domain)

PoC: (can even use https to make it even more 'trustworthy')

An attack idea would be saying to users "New product released by shopify! Increase your sales by using Windsor. Read more:" (users will see and trust. Plus the fact it's a cool name like 'Windsor', may get users attention).

We could then in theory create a domain similar to shopify and redirect straight to another domain. Add all the HTTPS stuff to make it look even more real, and we have a pretty good attack surface!

Note: I've done a lot of internal phishing for clients and had a 100% success rate every time, hence why i'm reporting this as I feel this url could be used to easily phish users.