A plugin used by a number of popular ecommerce platforms has an over-sharing problem.
Yopify, which provides popup notifications about the last 50 purchases made on a site for Shopify, BigCommerce and other platforms, leaks a significant amount of customers’ personal information to a determined attacker.
While not technically a software vulnerability, researchers at Rapid7 who privately disclosed to Yopify’s vendor, Centire of India, were able to get a CVE issued by DHS (CVE-2017-3211).
The popups include the first name, last initial, city and recent purchase data of the last 50 customers on an ecommerce site using the plugin. Customers don’t opt-in to this feature, nor do they formally consent to the plugin sharing such information. While most of the visible data is benign, there are cases where purchases could indicate religious affiliation, sexual preference and other information users may want kept private.
In the background, as Rapid7 data scientist Oliver Keyes discovered, the data sent to the client from Yopify’s servers in a JSON blob was much more detailed and included first and last names in their entirety and location information. An attacker could then monitor the site hourly, daily or for any period of time and build a database of users and purchases.
Yopify’s first response to Rapid7’s disclosure was to add Base-64 encoding to the JSON blob, obfuscating the data rather than having it visible in the clear. But, as Rapid7 points out, Base-64 is not encryption and since no shared secrets are involved in protecting the data, an attacker could still learn the user’s private information. On May 20, Yopify stopped sending the user’s last name in its entirety in the JSON blob.
“The piece of this that was initially a lot worse was that if you looked at the data that was sent to your browser, you could see more in there than was shown in the popup,” said Samuel Huckins, a program manager at Rapid7. These plugins are potentially running on thousands of ecommerce sites; Rapid7 said it found 300 reviews for Yopify alone. Other plugins exist with similar functionality, Huckins said, adding that some remove the customer’s name from a popup and just reveal that a customer in a particular location bought a particular product.
The plugins are meant to replicate the in-person buying experience on the web with popups on recent purchases meant to engage customers.
“Why would I need to know it was LaurenH who bought something just to see that this might be a product that I like,” Huckins said. “It just doesn’t add anything to the experience.”
Exploiting this issue to learn more about customers is a fairly trivial exercise. An attacker could use standard browser tools such as the Google Chrome Inspector widget that displays a webpage’s source.
“From there, it would take a bit more knowledge. You would need to grab the API key for Yopify, which is actually stored in the site’s source code,” Huckins said. “Once you grab that, you can make an API call to Yopify’s servers and that will give you back the data they would send to the browser for the popup for the last 50 users who made a purchase. Once you’re at that point, I would say it’s not super complex to make that API call on a regular basis and start building out names, locations and products purchased for whatever time period you wanted.”
According to Rapid7, Keyes found the issue on Feb. 28 when making a purchase on a site using Yopify. The researcher reached out to Centire and Shopify, which facilitated contact with Centire. The Base64 encoding was added May 18 and the last names in their entirety removed two days later.