Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Shopify. Show all posts

Globally, Over 4 Million Shopify Users Are at Risk

 


In a report published on Friday by CloudSEK's BeVigil, a security search engine for mobile apps, it has been found that over four million users of e-commerce apps around the world are exposed to the risk of hardcoded Shopify tokens.   

As an e-commerce platform, Shopify allows anyone to create a store that enables them to sell their products online and allows businesses to do the same. Shopify is expected to be used by more than 4.4 million websites by the end of 2023 and is located in more than 175 countries. 
 
Researchers are claiming that there is a risk that crooks will gain access to sensitive data belonging to millions of Android users with e-commerce apps. 

It was recently revealed in a CloudSEK BeVigil report that researchers discovered 21 e-commerce apps that had 22 hardcoded Shopify API keys and that these keys/tokens could potentially expose the personally identifiable information (PII) of roughly four million users to the possibility of identity theft. 

A hardcoded API key becomes visible to anyone with access to the code, including attackers and unauthorized users, as soon as the key is hardcoded in the code. An attacker can access sensitive data and perform actions on behalf of the program if they can access the hardcoded key. They can then use it to access sensitive data. The company said in a press release that even if they do not have the authorization to do so, they could still do it of their own volition. 

Information About Credit Cards

It is estimated that at least 18 of the 22 hardcoded keys allow attackers to use them to view sensitive data that belongs to customers. The researchers explained that this is based on their findings further in their report. A second report provided by the researchers states that seven API keys enable users to view and modify gift cards. In addition, six API keys allow a threat actor to steal information about payment accounts.  

As part of the sensitive data, collect name, email address, website address, country, address complete, phone number, and other information related to the shop owner is collected. The site also enables customers to access information regarding their past orders and their preferences for receiving emails.  

Regarding information on payment accounts, threat actors may be able to access details about banking transactions, like credit or debit cards used by customers to make purchases. These can be obtained by obtaining the BIN numbers of credit cards, the ending numbers of the cards, the name of the company that issued the cards, the IP addresses of browsers, the names on the cards, expiration dates, and other sensitive information. 

According to the researchers, one of the exposed API keys used by the shop provided shop details on authentication, hoping to show their point. 

Researchers have also pointed out that this is not a Shopify employee error but rather a widespread issue with app developers leaking API keys and tokens to third parties.   

An e-commerce platform such as Shopify enables businesses of all sizes to easily create an online store and, in turn, sell their products online. It is estimated that there are more than four million websites with Shopify integration today, enabling both physical and digital purchases from their online shoppers.   

CloudSEK notified Shopify about their findings however, no response has yet been received from Shopify in response.   

Severe Shopify Flaw Exposed GitHub Access Token And Source Code Repositories

 

Computer science student Augusto Zanellato has earned a $50,000 payday following the discovery of a publicly available GitHub Personal Access Token (PAT) which gave access to the Shopify source code repositories. 

Zanellato spotted the exposed GitHub token in a .env file while reviewing a public macOS Electron-based app. The vulnerability gave access to both public and private repos and admin privileges, potentially allowing a less ethically-minded individual to tamper with repositories and even plant backdoors. Although Zanellato didn’t realize it at the time, the Electron-based app was developed by a Shopify employee. 

"After finding the GitHub token inside the application I tried to use it against the GitHub API to see what token it was, whom it belongs to, what privileges it had etc. I found out that the user in question was a member of the Shopify organization and that he had push and pull access to all the private Shopify repositories," Zanellato explained.

Upon discovering the flaw, Zanellato reported the issue to Shopify via the HackerOne bug bounty program. After the initial bug report earlier this year, the Shopify team worked on developing a fix. Consequently, the vendors deployed a patch by revoking the GitHub PAT. Nonetheless, given the severe impact of the flaw, they have labeled the bug as “critical” with a severity score of 10.0. 

Shopify headquartered in Ottawa, Ontario was founded in 2006 by Tobias Lütke, Daniel Wenand, and Scott Lake following the trio's failure to find a suitable off-the-shelf e-commerce platform for a planned snowboarding store, Snowdevil. Today the Shopify platform has more than 1.7 million customers across the globe – all of whom could have been impacted by the leaked token, had it been exploited. 

“I think the most important lesson to be learned here for developers is to triple check what you are actually bundling in your release builds. Hackers on the other hand should always check what a token they found provides access to,” Zanellato said. 

“If I haven’t checked it manually with the GitHub API, I would have never discovered that the guy developing that application was a Shopify employee with read/write access to all the repositories, so I wouldn’t have ever found that issue , Zanellato concluded.