shopify ssrf

I found a server side request forgery vulnerability within the ‚add image via url‘ function in myshopifys adminpanel.

A could perform port scans on remote hosts, proxying through shopifys servers.
Accessing internal networks was not possible at this time.

ssrf ssrf-2 ssrf-3 ssrf-4Timeline:

  • 20.12.2014 vulnerability discovered
  • 21.12.2014 bug reported to shopify
  • 02.02.2015 issue confirmed, but not eligible for a reward (..?!)
  • 10.02.2015 bug fixed