Millions of online shoppers could be at risk from hardcoded Shopify tokens

Security attack
(Image credit: Shutterstock / ozrimoz)

Millions of Android ecommerce app users are at risk of having their sensitive data accessed by crooks, researchers have claimed.

A recent report by CloudSEK’s BeVigil says researchers uncovered 21 ecommerce apps with 22 hardcoded Shopify API keys/tokens which could expose personally identifiable information (PII) of roughly four million users.

“By hardcoding the API key, the key becomes visible to anyone who has access to the code, including attackers or unauthorized users. If an attacker gains access to the hardcoded key, they can use it to access sensitive data or perform actions on behalf of the program, even if they are not authorized to do so,” the company said in a press release.

Credit card data

Of the 22 hardcoded keys, at least 18 allow attackers to view sensitive data belonging to customers, the researchers further explained, adding that 7 API keys allow viewing and modifying gift cards and that 6 API keys allow threat actors to steal payment account information. 

The sensitive data includes the shop owner's name, email ID, website name, country, complete address, phone number, and more. Customers’ past orders, as well as email marketing preferences, can also be obtained. 

As for payment account information, threat actors could access banking transaction information such as credit and debit card details that customers used for purchases. BIN numbers, credit card ending numbers, credit card company names, browser IPs, names on the credit cards, expiry dates, and other sensitive data - could all be obtained.

To prove their point, the researchers shared shop details on authentication using one of the exposed API keys.

The researchers also emphasized that this is not an oversight on Shopify’s end, but rather a wider issue of API keys and tokens being leaked by app developers. 

Shopify is an ecommerce platform that enables businesses to quickly and easily set up an online store. Today, more than four million websites have integrated Shopify into their online shopping experience, allowing visitors to buy both physical and digital products. 

Shopify was notified of CloudSEK’s findings, but has yet to respond.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.