• Uncategorised

Shopify API flaw offered access to revenue data of thousands of stores

A security flaw in a Shopify API endpoint has been discovered by a researcher which can be exploited to leak the revenue and traffic data of thousands of stores.

Application security engineer and bug bounty hunter Ayoub Fathi disclosed his findings in a Medium blog post this week.

Shopify, which accounts for over 800,000 merchants in more than 175 countries, set up a new API over the past year which gained Fathi’s interest. This API was meant to be used to internally fetch sales data for graph presentations, but the system was found to be leaking the revenue data of two unnamed Shopify stores, one of which had been removed from the platform.

The researcher set up a new store and used $storeName on the same API endpoint to test whether or not the system was vulnerable to an Insecure Direct Object Reference (IDOR) bug. However, this resulted in a 404 error.

Fathi then decided to perform a mass check on all existing stores instead to see if any customer information would leak through the API.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *