Application security engineer and bug bounty hunter Ayoub Fathi disclosed his findings in a Medium blog post this week.
Shopify, which accounts for over 800,000 merchants in more than 175 countries, set up a new API over the past year which gained Fathi’s interest. This API was meant to be used to internally fetch sales data for graph presentations, but the system was found to be leaking the revenue data of two unnamed Shopify stores, one of which had been removed from the platform.
The researcher set up a new store and used $storeName on the same API endpoint to test whether or not the system was vulnerable to an Insecure Direct Object Reference (IDOR) bug. However, this resulted in a 404 error.
Fathi then decided to perform a mass check on all existing stores instead to see if any customer information would leak through the API.
A script was built containing store names and vulnerable domains were filtered out after the wordlist was iterated against the endpoint.
Out of 1000 stores, only four — one of which was closed — were shown to be vulnerable. However, the researcher dug deeper by using a larger dataset, containing 813,684 records, using Forward DNS.
A further test of these records using a Bash script was then implemented, resulting in a list of vulnerable stores which were leaking the “sales data of Shopify merchants that includes a monthly breakdown of revenue in USD of thousands of stores from 2015 until today.”
“We have a list of vulnerable stores, so if we query any of them, we would get a breakdown of monthly revenue data in USD of the current store during its lifetime,” the researcher added.
The image below is an example of one shop owner’s revenue from 2015 until 2019.
“This was tested on 800,000 merchant stores, +12,100 of them were exposed, +8700 were vulnerable stores that we were able to obtain their sales and traffic data and they should not be public, and 3400 are expected to have their sales data public,” Fathi said.
Based on these findings, the researcher concluded that the leak was caused by the Shopify Exchange App, which was introduced a few months before the vulnerability seems to have appeared.
The findings were sent to Spotify on 13 October 2019. The e-commerce platform acknowledged the findings three days later, fixing the issue within an hour of triage. Shopify then requested more information and the issue was closed on November 1.
Shopify has resolved the leak but chose not to award a bug bounty payout. The company cited policy violations as the reason.
During the researcher’s exploration, he “interacted with shops other than those created by [him],” which is in breach of the firm’s bug bounty rules.
In an email to Fathi, Shopify said:
“While we appreciate you were trying to demonstrate the impact of the identified issue, intentionally accessing information of other merchants and not immediately reporting this to us is of significant concern to Shopify. As a result, this report will not be awarded a bug bounty.”
The researcher believes the accusation related to not immediately reporting the bug is unfair considering the time it took to confirm the legitimacy of the security flaw. However, Fathi does accept that he broke the rules — but emphasized that this took place with the “best intention to demonstrate an impact and avoid sending a theoretical report without any working proof of concept.”
“I believe that I had no other way to demonstrate the existence of this particular security vulnerability if I have not proceeded it the way I did,” the researcher added. “Quite frankly, even the outcome of this report was not as expected, […] it’s my fault at the end.”
ZDNet has reached out to Shopify and will update if we hear back.