Hi, it’s me again :D Last week, I found a XSS vulnerability on *.myshopify.com. You can register a trial account and add a new product.
At the product’s title, you can inject a javascript and at the admin’s taskbar you click the View button and it will automatically open a new tab and a XSS popup will alert :P
Maybe it is a store-xss but Shopify’s rule does not accept it :|

In my opinion, when a hacker has admin’s privilege he can hijack other visitor when they shopping LOL .
Well I don’t mind anything about Shopify’s rule and I think I can disclosed this vulnerability :D
Yup that’s it and happy hacking!!!