A researcher has uncovered a high-severity vulnerability in an e-commerce software platform used by 800,000 different online merchants, which could have been abused to expose the traffic and revenue data for the stores.
The platform is Shopify, which was found exposing store data dating back to 2015 via a vulnerable API endpoint, according to researcher Ayoub Fathi.
Fathi said that in the course of bug-hunting as part of the company’s bug-bounty program, he noticed the flaw after finding that the API was leaking data of two unnamed Shopify merchants. He had set up an alert to notify him when new API endpoints appeared on a list of subdomains and URLs. He was notified of a new endpoint he had never seen before for an unnamed store, and upon further investigation, Fathi found the data leaking via this endpoint.
Fathi also identified another incident of the same API leaking the revenue data of another unnamed store – and while the store was sold a while ago and removed from the marketplace, the data was still being returned “for some reason,” he said.
The two incidents were due to a vulnerable API endpoint, the Shopify Exchange App, said Fathi. The API endpoint, which is essentially one end of a communication channel, was supposed to be used internally to take sales data and present it in a graph.
“As per CVSS 3.0, the score of this particular finding is 7.5— high, which reflects the significance of the vulnerability. Customer traffic and revenue data were exposed, where no privileges nor user interaction is required to gain access to the information,” Fathi said in an analysis of the flaw, in a Medium post this week.
Fathi then tested whether the flaw impacted other stores on the platform: He did so by creating a script that takes 800,000 store names as an input (stores-exchange.txt), sends a curl request to retrieve the sales data, and then inserts the store name (within the same JSON response entry using DAP Library) before printing the data.
From this, Fathi discovered that out of the platform’s 800,000 merchant stores, 12,100 were exposed, and out of that number, Fathi could obtain sales and traffic data for more than 8,700 of them. That included a monthly breakdown of revenue in USD of thousands of stores from 2015 to the present.
“Based on above data and a few more days of research, I came to the conclusion that this was caused by Shopify Exchange App (actively used by merchants now), which was introduced only a few months before this vulnerability,” he said. “Any merchant who has Exchange App installed would be vulnerable.”
Shopify has since patched the flaw: “At Shopify, we know that a trusted experience is crucial to every merchant on our platform and we have comprehensive security strategies in place to support this,” a Shopify spokesperson told Threatpost. “Our bug-bounty program reinforces these efforts and helps ensure we deliver the most secure platform for our merchants. After validating the report, our engineering team resolved the issue within the hour.”
There’s no indication of whether the flaw was exploited before Shopify addressed the issue.
Disclosure
While this week marks the first time the vulnerability has been publicly exposed, the flaw was first disclosed to Shopify in Oct. 13 2018, and fixed three days later.
While Fathi submitted the bug as part of Shopify’s bounty program, he was told it was not eligible as it was in violation of the company’s bounty policies. Specifically, the bug-bounty program states participants may only test against shops they created; they cannot attempt to access or interact with other shops they created; and must report any discovered vulnerability to Shopify as soon as they have validated the flaw.
Fathi for his part acknowledged that he did interact with shops other than those created by him, and: “Hence, I unintentionally violated the said policy regardless of my good intentions. As a result, I fully assume the consequences and respect their decision and extend my apologies to Shopify team for the lack of awareness.”
Don’t miss our free Threatpost webinar, “Data Security in the Cloud,” on April 24 at 2 p.m. ET.
A panel of experts will join Threatpost senior editor Tara Seals to discuss how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS.