Shopify: Some S3 Buckets are world readable (and one is world writeable)

ID H1:94502
Type hackerone
Reporter brakhane
Modified 2015-10-24T14:18:02


The researcher reported that several s3 bucket containing the name "shopify" were world-readable. Out of the reported buckets, two belonged to us and were not intended to be public and may have contained sensitive data. We changed the bucket options to disable file listing on the affected buckets.