A flaw in Shopify API flaw exposed revenue and traffic data of thousands of stores

Pierluigi Paganini April 22, 2019

Researcher discovered a high-severity flaw in Shopify e-commerce platform that could have been abused to expose the traffic and revenue data for the stores.

Bug bounty hunter Ayoub Fathi. discovered a vulnerability in a Shopify API endpoint that could be exploited to leak the revenue and traffic data of thousands of stores.

The Shopify platform is currently used by 800,000 different online merchants in more than 175 countries.

shopify

The white hat hacker analyzed the APIs published over the past year by Shopify that allow users to fetch sales data for graph presentations. He noticed that the system was leaking the revenue data of two unnamed Shopify stores, one of which had been removed from the platform.

The researcher carried out a mass check on all the existing stores to determine if the platform was affected by a Direct Object Reference (IDOR) issue iterating over $storeName.

Fathi then decided to perform a mass check on all existing stores instead to see if any customer information would leak through the API.

“The first idea that came to mind is to perform a mass check on eventually all existing stores, and see if we would get any customer data out of any.” reads a post published by the researcher.

“The attack process will be as follows:

  • Building a wordlist of store names (from storeName.myshopify.com);
  • Iterate the wordlist against the almost vulnerable endpoint:
/shops/$storeName/revenue_data.json
  • Filtering out the vulnerable domains;
  • Analyzing affected stores to figure out the root cause of the observed behaviour or eventual vulnerability.”

Fathi found that 4 out of 1000 stores (one of which was closed) were vulnerable. The researcher decided to make further test using a larger dataset, containing 813,684 records, using Forward DNS.

“Using this approach, we don’t need to generate store names from a given domain list. Instead, we will be using the FDNS to obtain reverse CNAME records of shops.myshopify.com (which all the stores point to) ” continues the expert. “Now, we will be looking for CNAME records that match shops.myshopify.com where Shopify merchants are hosting their stores.”

The hacker created and exploit.py script to use the new word list composed of 813K store names

Using this approach the expert retrieved a list of vulnerable stores and queried them to get monthly revenue data in USD of the current store during its lifetime.

“This was tested on 800K merchant stores, +12,100 of them were exposed, +8700 were vulnerable stores that we were able to obtain their sales and traffic data and they should not be public, and 3400 are expected to have their sales data public” wrote Fathi “to summarize:

  • This was tested on +800K stores
  • +12,100 were exposed
  • +8700 stores were vulnerable and their data is set to private.
  • Only +3400 stores data was expected to be public.”

The researcher discovered that the leak was caused by the Shopify Exchange App.

“Based on above data and a few more days of research, I came to the conclusion that this was caused by Shopify Exchange App (Actively used by merchants now) which was introduced only a few months before this vulnerability. Any merchant who has Exchange App installed would be vulnerable.” states Fathi.

Fathi reported the flaw to Spotify on 13 October 2018, the company acknowledged it on October 16 and closed the flaw on November 1.

The bad news is that Shopify has not awarded the expert citing policy violations because the expert tested shops not created for testing purposes.

Below an excerpt of the email Shopify sent to the expert:

“While we appreciate you were trying to demonstrate the impact of the identified issue, intentionally accessing information of other merchants and not immediately reporting this to us is of significant concern to Shopify. As a result, this report will not be awarded a bug bounty.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, VSDC)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment