Over 4 million users globally at risk from hardcoded Shopify tokens
Over four million e-commerce app users globally are at risk from hardcoded Shopify tokens, according to a report published on Friday by cyber-security firm CloudSEK’s BeVigil, a security search engine for mobile apps.
Shopify is an e-commerce platform that allows individuals and businesses to create an online store to sell their products. Over 4.4 million websites from more than 175 countries globally use Shopify as of January 2023.
The company said that from the millions of Android apps indexed on BeVigil, 21 e-commerce apps were identified to have 22 hardcoded Shopify API keys/tokens, exposing personally identifiable information (PII) to potential threats. These e-commerce apps, according to the research, put close to 4 million users worldwide at risk, with shopping being the most affected category.
"Hard Coding" means something that you want to embed with your program or any project that cannot be changed directly. For example, if you are using a database server, and hard code to connect your database with your project, then that cannot be changed by the user.
Researchers explained that Shopify provides several types of tokens that can be used for their development and their level of access needed to the Shopify store data. For example, Shopify API Key is used to identify the app or integration that is making API calls. In other words, the API Key is generated when users create an app in the Shopify Partner Dashboard.
By hardcoding the API key, the key becomes visible to anyone who has access to the code, including attackers or unauthorised users. If an attacker gains access to the hardcoded key, they can use it to access sensitive data or perform actions on behalf of the program, even if they are not authorised to do so, said the report.
CloudSEK researchers have found that of the total hardcoded keys, at least 18 keys allow viewing customer-sensitive data, 7 API keys allow viewing/modifying gift cards and 6 API keys allow obtaining payment account information, including balances and payouts. “While the total number of downloads of these apps exceeds 182K, the actual number of impacted users is significantly more,” it said.
The company said, while this situation is not a limitation of the Shopify platform, it highlights the issue of API keys/tokens being leaked by app developers. As part of responsible disclosure, CloudSEK has notified Shopify and the affected apps about the hardcoded API keys.
This is not the first time Shopify has been facing challenges in terms of safeguarding customers and other stakeholders. On September 22, 2020, the Canadian e-commerce company informed about a data breach affecting less than 200 of their customers. Shopify said that its two ‘rogue’ employees accessed shopper data using Shopify’s Orders API, which lets merchants process orders on behalf of their customers.
For failing to prevent a massive data breach in 2020, in April 2022, crypto hardware wallet - Ledger -sued Shopify stating "repeated and severe failure of Shopify to protect its clients' identities." A group of ledger users filed a class-action lawsuit in the United States District Court for the District of Delaware against the firms alleging that the companies failed to take reasonable precautions to avoid a data breach that compromised personal information and Bitcoin holdings.
The recent findings of hardcoded Shopify keys in numerous Android apps further highlights the lack of proper API security in the industry, which exposes the personal information of users, as well as transactional and order details, to potential attackers, CloudSEK researchers said.
Another research conducted between June and November 2022 by CRA Business Intelligence, the research arm of cybersecurity information services company CyberRisk Alliance, found that almost half of the organisations it polled, lacks an overall strategy to guide API efforts. In 59% of firms, responsibility for API protection rests with developers and these teams may lack the security expertise, skills, or time to enforce security adequately — where fully managed API attack protection platforms can fill this gap, it said.