Ayoub Fathi, a security researcher has uncovered a dangerous Shopify API vulnerability that allows criminals to hijack a lot of sensitive information from online stores. The problem appears to lie in the API used by the system which is designed to process data for graph presentations. However upon further analysis it appears that it can leak information.
Shopify API Vulnerability Leaks Data
The Shopify API which is used by many online merchants in the world has been found to contain a dangerous vulnerability. The problem lies not within the main module, but by the section that is responsible for the graph presentations. The discovery was announced by security researcher Ayoub Fathi who posted about this in his blog hosted at Medium. What’s dangerous about this particular bug is that it has been found to leak revenue data in two instances so far. One of them has since been removed from the platform.
In order to demonstrate how this works he set up a new store in order to test whether or not the API endpoint can be attacked. He then tested out a script assessment of live stores which has shown that 4 out of 1000 stores were found leaking. This experiment was then repeated using a larger list which confirms that a lot of stores are affected. The results of this second round show that of 800,000 stores more than 12,100 were exposed. The findings were reported to the company in a quick manner and the vulnerability was patched in due time however already leaked data could not have been reversed.
The service has not awarded a bug bounty payment to the researcher as he has accessed information of web merchants and has not reported the vulnerability to Shopify. At this moment there is no information available about successful hacking attempts which means that both the researcher and the company were quick to mitigate the issue.