Shopify API Vulnerability Helps Hackers Gain Sensitive Web Store Data
CYBER NEWS

Shopify API Vulnerability Helps Hackers Gain Sensitive Web Store Data

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Ayoub Fathi, a security researcher has uncovered a dangerous Shopify API vulnerability that allows criminals to hijack a lot of sensitive information from online stores. The problem appears to lie in the API used by the system which is designed to process data for graph presentations. However upon further analysis it appears that it can leak information.




Shopify API Vulnerability Leaks Data

The Shopify API which is used by many online merchants in the world has been found to contain a dangerous vulnerability. The problem lies not within the main module, but by the section that is responsible for the graph presentations. The discovery was announced by security researcher Ayoub Fathi who posted about this in his blog hosted at Medium. What’s dangerous about this particular bug is that it has been found to leak revenue data in two instances so far. One of them has since been removed from the platform.

Related: CVE-2019-3568 in WhatsApp Exploited Using Pegasus Spyware

In order to demonstrate how this works he set up a new store in order to test whether or not the API endpoint can be attacked. He then tested out a script assessment of live stores which has shown that 4 out of 1000 stores were found leaking. This experiment was then repeated using a larger list which confirms that a lot of stores are affected. The results of this second round show that of 800,000 stores more than 12,100 were exposed. The findings were reported to the company in a quick manner and the vulnerability was patched in due time however already leaked data could not have been reversed.

The service has not awarded a bug bounty payment to the researcher as he has accessed information of web merchants and has not reported the vulnerability to Shopify. At this moment there is no information available about successful hacking attempts which means that both the researcher and the company were quick to mitigate the issue.

Avatar

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...