SSRF in Shopify Exchange to RCE

Bug Bounty Report

Posted by André on May 23, 2018

This report has been disclosed on HackerOne: https://hackerone.com/reports/341876

Edit: Greg Castle (Kubernetes/GKE Security Tech Lead, Google) and Shane Lawrence (Security Infrastructure Engineer, Shopify) gave an amazing talk about this bug at KubeCon 2018: Shopify’s $25k Bug Report, and the Cluster Takeover That Didn’t Happen

You can download the slides here (PDF) or just watch the talk:


Timeline

  • 2018/04/23 Reported to Shopify via HackerOne #341876
  • 2018/04/23 Triaged (Severity: Critical - 10.0)
  • 2018/05/23 Resolved and bounty awarded
  • 2018/05/23 Report disclosed