Shopify pays $15,250 bug bounty for a Christmas Eve vulnerability

"The bug was filed on Christmas Eve, and within 12 hours the Shopify team rolled out a fix to address the immediate issue."
Shopify's office (Flickr)

This one had the potential for a holiday nightmare: A security researcher reported a critical vulnerability to the Canadian e-commerce company Shopify late on Christmas Eve last year.

Instead, Shopify fixed the bug within 12 hours and paid out $15,250 to a bug bounty hunter who goes by the handle Cache-Money.

The bug potentially allowed an attacker to bypass Shopify’s email verification process and ultimately gain access to an online store they didn’t own. For a platform whose entire reason to exist is to host stores and protect retailers, any threat of hijackings is a big deal.

“We tracked down the bug to a race condition in the logic for changing and verifying email addresses,” Shopify’s security team explained on the platform HackerOne, which handles Shopify’s bounty program, including communication and payment with researchers. A race condition is a situation in programming where the result depends on a certain sequence of events. Vulnerabilities can result if a hacker figures out how to upend that sequence.


“We fixed it by locking the database record during those actions and requiring store administrators to approve all collaborator requests,” the Shopify team said.

Launched in 2004, Shopify allows clients to take payments online and off. The company earned $389 million in revenue in 2016. The company grew significantly over 2017, earning $580 million in revenue from September 2016 through September 2017.

It took a little over a month for the bounty decision process to unfold. For his patience, the bounty hunter got $15,000 for the bug and $250 for verifying Shopify’s fix. You can read the full technical blow-by-blow here.

“The bug was filed on Christmas Eve, and within 12 hours the Shopify team rolled out a fix to address the immediate issue,” the bounty hunter wrote. “It was a pleasure to work with a team that takes security as seriously as they do.”

 Update: A previous version of this article listed incorrect figures for Shopify’s yearly revenue. We’ve corrected the error. 

Latest Podcasts