SSRF in Shopify Exchange to RCE

Bug Bounty Report

Posted by 0xacb on May 23, 2018 · 1 min read

This report has been disclosed on HackerOne:

Edit: Greg Castle (Kubernetes/GKE Security Tech Lead, Google) and Shane Lawrence (Security Infrastructure Engineer, Shopify) gave an amazing talk about this bug at KubeCon 2018: Shopify’s $25k Bug Report, and the Cluster Takeover That Didn’t Happen

You can download the slides here (PDF) or just watch the talk:


  • 2018/04/23 Reported to Shopify via HackerOne #341876
  • 2018/04/23 Triaged (Severity: Critical - 10.0)
  • 2018/05/23 Resolved and bounty awarded
  • 2018/05/23 Report disclosed