How I got my first 500$ bug bounty from Shopify

To anyone and whoever is interested:

I am Ahmed Al Ahmed, a senior software engineer. Sometime ago, I decided to hop on the bandwagon and start working as a bug bounty hunter (part-time of course). To get straight to the point, I just started to look for programs on hackerone.com, and after a long search, Shopify became my target.

For the longest time, I believed that it’s sort of impossible to find any vulnerabilities within Shopify as it is one of the most common programs and many professional hackers before me have already tried and found their share of vulnerabilities. Regardless, I decided to persevere.

After quite some time digging into Shopify, discovering features, understanding pros and cons; I thought I found something! I found an XSS within the pages and products, I was extremely thrilled. But, not so long after, I read the policy and realized it’s not accepted. 😢

Three hours and three vulnerabilities later, I thought I should stop looking as all the vulnerabilities I found were considered “Duplicated”.

But then… *drum roll* , I spotted something super important! Whenever I upload a CSV file containing a set of products on the dashboard, the CSV file’s name is reflected on the admin portal content!

Finally! I quickly prepared a simple XSS payload and it successfully worked! Then, I wrote some few lines for the report and 2 hours later, it was triaged and a $500 bounty was awarded to me.

And this is my quick story of how I earned my first $500 dollars as a Shopify bug bounty hunter.

Report Link: https://hackerone.com/reports/982510