BeVigil, a free mobile application security testing tool, under the ownership of Cloudsek, has released a report claiming that four million app users on Shopify are at risk from the e-commerce company’s hardcoded tokens. According to the data compiled as of January 2023, Shopify helped more than 4.4 million websites from over 175 countries sell products and services online.
BeVigil claims in its report that 21 Android apps indexed on its platform carried 22 hardcoded Shopify API keys/tokens. These tokens expose personally identifiable information (PII) to potential threats on the internet. The estimated users of these 21 apps are close to four million. Primarily, these users are merchants selling online products using Shopify.
The impacts of these secret tokens are critical and not just limited to access to customers’ personal data that includes first name, last name, full address, phone number, country name, province name, city, province, email address, credit card details, etc., access to write discounts that will allow an attacker to set a 100% discount on a product and in that case, the product would be almost free, access to write price rules like creating a price rule that gives the buyer $100.00 off an order, access to all the order details placed on that Shopify store and access to create orders on Shopify Store.
BeVigil Report
What is Hard Coding?
Hard Coding is a model that restricts users from making direct changes to the program or project initiated by them. To understand this better, consider the case of a database server, which uses a hard code for connection. No changes can be done to the project run by the end user.
Shopify uses several types of tokens to access store data and help merchant partners scale online business with useful apps. The primary token of all is Shopify API Key, which helps the e-commerce giant identify the integration or app to make the API calls. For the unversed, the Application Programming Interface key is generated at the time of app creation in the Shopify Partner Dashboard.
The API key is visible to all with access to the code despite hardcoding. Cybercriminals and unauthorized users also get access to these hardcoded API keys. They use these tokens to access sensitive data and perform unwarranted actions on behalf of the program. The report claims that these criminals misuse the data without authorization thanks to the hardcoding of the API keys.
What Does it Mean?
Cyber security experts associated with CloudSEK believe that 18 keys allow unauthorized users to access customer-sensitive data, while seven API keys allow modification of the gift cards and six API keys allow them access to payment account information. This information helps criminals know about the balances and payouts of the users, compromising their financial independence.
“While the total number of downloads of these apps exceeds 182K, the actual number of impacted users is significantly more,” the report states.
The report added that this compromise of information is not limited to Shopify, some of the crucial API keys/tokens are being leaked from the app developers’ end as well. CloudSEK has notified the Canadian company about the leak of information caused by its hardcoded API keys.
Earlier Failures
If the allegations are true, this will be the second instance in which Shopify has failed to protect user information. In September 2020, Shopify witnessed a breach of data collected from less than 200 customers. It was the company’s two rogue employees, who accessed customers’ data with the help of Orders APIs.
It was a weak password policy on the customer-facing front that let Shopify down. In the research published by Specops, the requirement of Shopify is that passwords should have at least five characters and there shouldn’t be space in the beginning or at the end. The researchers found one billion breached passwords and came to the conclusion that 99.7 percent adhere to Shopify’s requirements. Some examples of breached passwords that meet these requirements include- lunabelle, luckygurl, loveok, lovehate16, login666.
Shopify also doesn’t prohibit the use of the word ‘Shopify’ in the passwords, hence, researchers found 18 passwords with names such as shshopify, myshopify, shopify123, shopifyseoexpert and shopify. Though Shopify offers two-factor authentication (2FA), it is not required while creating an account on the platform. This simply means that the e-commerce giant performs a compromised password check.
It should be noted that multiple breached passwords follow Shopify’s minimum requirements, thus there’s a huge risk related to weak passwords.
Court Case
Apart from Shopify, hardware wallet maker Ledger was also accused by a group of users of failing to prevent a data breach. The suit was filed in April 2022 in the United States District Court of Delaware. It makes serious allegations stating that Shopify “repeatedly and profoundly failed to protect its customers’ identities.”
Complainants claim that Shopify and TaskUs, its third-party data consultant, are responsible for leaking Ledger buyers’ personally identifiable information (PII) despite the assurance of full security. The plaintiffs went on to claim that both companies were aware of the breach and took over a week to notify customers. They want Ledger and Shopify to reveal the leaked information and compensation covering actual and punitive damages.
France-based Ledger “initially denied that any compromise of PII had occurred,” but later backed down, said the complainant. The complainant added, “Despite the repeated promises and worldwide advertising campaign touting unmatched security for its customers, Ledger—and its data processing vendors, Shopify and TaskUs—repeatedly and profoundly failed to protect its customers’ identities, causing targeted attacks on thousands of customers’ crypto-assets and causing Class members to receive far less security than they thought they had purchased with their Ledger Wallets.”
The recent report on compromised security highlights the issue of lacking proper API in a highly-competitive e-commerce industry. The personal information of users is at risk along with their transactional and order details.
Story of Other Tech Companies
Earlier, CRA Business Intelligence claimed in research conducted between June and November 2022 that half of the big tech companies lack a proper strategy to protect APIs. The research was conducted by CyberRisk Alliance. It added that around 59 percent of big tech companies face difficulty with security expertise, skills, or time to protect user information from potential threats.
“The recent discovery of hardcoded Shopify keys in numerous Android apps is just another example of the lack of proper API security in the industry. This type of vulnerability exposes the personal information of users, as well as transactional and order details, to potential attackers,” the research claimed.
“The impacts of these secret tokens are critical and not just limited to access to customers’ personal data that includes first name, last name, full address, phone number, country name, province name, city, province, email address, credit card details, etc., access to write discounts that will allow an attacker to set a 100% discount on a product and in that case, the product would be almost free, access to write price rules like creating a price rule that gives the buyer $100.00 off an order, access to all the order details placed on that Shopify store and access to create orders on Shopify Store,” it concluded.