Posted on April 19, 2019 at 6:03 PM
One of the web’s largest shopping platforms has had a severe security flaw exposed in its API. The platform in question is Shopify and it hosts over 800 thousand different merchants via its e-commerce shopping software all of whom would have been exposed by a critical flaw in its security.
Lone Bug Bounty Hunter find a critical flaw
Ayoub Fathi was the security researcher who exposed the flaw that was accessible via a vulnerable API endpoint. The flaw would have allowed malicious hackers to view and expose the traffic and revenue data for all 800 thousand plus merchants on the Shopify platform.
The security researcher and self-confessed independent bug bounty hunter found the flaw during a routine after noticing two Shopify merchants leaking the data. He declined to name the merchants responsible for helping him notice the flaw. Ayoud set up certain domain and URL alerts to tell him whenever a new API endpoint appeared on those domains and URLs. Once he was given notice of an endpoint he had never seen from an unnamed store, he found that the data was leaking from this particular endpoint.
Once he set to replicating that flaw, he was able to find revenue data leaking from another endpoint, from a different retailer. The interesting thing about that store was that it had already been sold and taken off the market, yet was still leaking data. The API endpoint responsible for the leaks was the Shopify Exchange App claims Fathi. The purpose of the API endpoint was to take the data internally and show it in a graph to the owner of the store.
The flaw was classified as a 7.5 on the CVSS 3.0 scale. The Common Vulnerability Scoring System is used to classify all bugs and security flaws found via bug bounty programs. This is a high score and was the result of customer traffic and revenue data being exposed despite no privileges or user interaction being required to gain access to the data.
Once Fathi had the flaw mapped out, he tested it against the platform’s stores. He did that by creating a script that used a text file with the names of all the stores on Shopify (pretty easy to find) that was used by a curl request to receive all revenue data. He found that 12 100 stores were vulnerable to this security flaw and he was able to get both revenue data and traffic numbers from over 8000 of them. He did say that any merchant who had the Exchange App installed was vulnerable.
Shopify fixed the mistake within three days of being notified about it. The company said that they believe a “trusted experience is crucial to every merchant on our platform” and reiterated their security strategies were in place to support that trust. They went on to say that the “bug bounty program reinforces these efforts” by helping them to keep their platform as secure as possible. They mention that the validation and engineering team had resolved the issue within an hour.
The disclosure was botched by Fathi
This week is the first time that the flaw was publicly exposed. However it was privately disclosed to Shopify on the 13th of October last year. However, the Shopify team did not find that the bug was eligible for the bug bounty as it had been tested against live shops and not shops that were created for the express purpose of security testing.
For his part, Fathi said that he was in the wrong, and would not make the same mistake again. He took all responsibility for his actions and his lack of awareness of the procedures regarding Shopify’s bug bounty program. He also extended his apologies to the Shopify team for his mistake.