Technology

Shopify pays $15,250 bug bounty for a Christmas Eve vulnerability

"The bug was filed on Christmas Eve, and within 12 hours the Shopify team rolled out a fix to address the immediate issue."

By Patrick Howell O'Neill

February 8, 2018

Shopify's office (Flickr)

This one had the potential for a holiday nightmare: A security researcher reported a critical vulnerability to the Canadian e-commerce company Shopify late on Christmas Eve last year.

Instead, Shopify fixed the bug within 12 hours and paid out $15,250 to a bug bounty hunter who goes by the handle Cache-Money.

The bug potentially allowed an attacker to bypass Shopify’s email verification process and ultimately gain access to an online store they didn’t own. For a platform whose entire reason to exist is to host stores and protect retailers, any threat of hijackings is a big deal.

“We tracked down the bug to a race condition in the logic for changing and verifying email addresses,” Shopify’s security team explained on the platform HackerOne, which handles Shopify’s bounty program, including communication and payment with researchers. A race condition is a situation in programming where the result depends on a certain sequence of events. Vulnerabilities can result if a hacker figures out how to upend that sequence.

“We fixed it by locking the database record during those actions and requiring store administrators to approve all collaborator requests,” the Shopify team said.

Launched in 2004, Shopify allows clients to take payments online and off. The company earned $389 million in revenue in 2016. The company grew significantly over 2017, earning $580 million in revenue from September 2016 through September 2017.

It took a little over a month for the bounty decision process to unfold. For his patience, the bounty hunter got $15,000 for the bug and $250 for verifying Shopify’s fix. You can read the full technical blow-by-blow here.

“The bug was filed on Christmas Eve, and within 12 hours the Shopify team rolled out a fix to address the immediate issue,” the bounty hunter wrote. “It was a pleasure to work with a team that takes security as seriously as they do.”

Update: A previous version of this article listed incorrect figures for Shopify’s yearly revenue. We’ve corrected the error.

Shopify pays $15,250 bug bounty for a Christmas Eve vulnerability

More Like This

House hurtles toward showdown over expiring surveillance tools

Civil society groups press platforms to step up election integrity work

Anonymous hacker, who bragged about exploits on TikTok, says he was raided by Canadian police

Top Stories

House passes bill to limit personal data purchases by law enforcement, intelligence agencies

Mandiant: Notorious Russian hacking unit linked to breach of Texas water facility

‘Large volume’ of data stolen from UN agency after ransomware attack

More Scoops

Hackers find 122 vulnerabilities — 27 deemed critical — during first round of DHS bug bounty program

TikTok unveils bug bounty program, scraps with US government in court over looming ban

What Shopify has learned from five years of bug bounty programs

Cyber Command’s bug bounty program uncovers more than 30 vulnerabilities

California’s new labor law is going to impact bug bounty companies. By how much is unknown.

Why bug bounty firms want to be penetration testing companies

Pentagon’s latest bug bounty program pays out $80,000

Latest Podcasts

How Troy Hunt knows if you’ve been hacked and Washington tries to understand AI

Why pig butchering is the worst kind of online scam

How the FBI fights ransomware

Rumman Chowdhury on AI red-teaming; a Sisense supply chain attack

Government

Technology

Threats

Geopolitics