"Millions of Online Shoppers Could Be at Risk From Hardcoded Shopify Tokens"

Millions of Android e-commerce app users are at risk of having their sensitive data obtained by criminals. According to a recent analysis by BeVigil of CloudSEK, researchers discovered 21 e-commerce apps with 22 hardcoded Shopify Application Programming Interface (API) keys/tokens that could expose the Personally Identifiable Information (PII) of around four million users. By hardcoding the API key, anyone with access to the code, including attackers and unauthorized users, can see it. If an attacker accesses the hardcoded key, they can use it to gain unauthorized access to sensitive data or execute activities on behalf of the program. At least 18 of the 22 hardcoded keys allow attackers to view sensitive customer data, according to the researchers. They also added that 7 API keys enable viewing and changing gift cards, and 6 API keys let threat actors steal payment account information. The sensitive information includes the shop owner's name, email address, website name, country, phone number, and more. Threat actors can also obtain customers' past orders and email marketing preferences. In regard to payment account information, threat actors could gain access to banking transaction data, such as the credit and debit card numbers used by customers to make purchases. This article continues to discuss the discovery and potential impact of 21 e-commerce apps with 22 hardcoded Shopify API keys/tokens.

TechRadar reports "Millions of Online Shoppers Could Be at Risk From Hardcoded Shopify Tokens"