Millions of Android e-commerce app users risk having their sensitive data accessed by scammers, researchers have claimed.
A recent report from CloudSEK’s BeVigil says researchers discovered 21 e-commerce apps with 22 hard-coded Shopify API keys/tokens that could expose the personally identifiable information (PII) of around four million users.
“By hard-coding the API key, the key becomes visible to anyone with access to the code, including attackers or unauthorized users. If an attacker gains access to the hard-coded key, they can use it to gain access to sensitive data or perform actions on behalf of the program, even if not authorized to do so,” the company said in a press release.
Credit card data
Of the 22 hard-coded keys, at least 18 allow attackers to view sensitive data belonging to customers, the researchers explained, adding that 7 API keys allow viewing and modifying gift cards and 6 API keys allow hackers to steal payment account information.
Sensitive data includes store owner name, email id, website name, country, full address, phone number etc. Customers’ orders placed, as well as email marketing preferences, can also be obtained.
Regarding payment account information, threat actors could gain access to banking transaction information such as credit and debit card details that customers use for purchases. BIN numbers, credit card termination numbers, credit card company names, browser IP addresses, names on credit cards, expiration dates and other sensitive data – could all be obtained.
To prove their point, the researchers shared store details about authentication using one of the exposed API keys.
The researchers also pointed out that this was not an oversight on Shopify’s part, but rather a broader issue of API keys and tokens being leaked by app developers.
Shopify is an e-commerce platform that allows businesses to quickly and easily create an online store. Today, over four million websites have integrated Shopify into their online shopping experience, allowing visitors to purchase physical and digital products.
Shopify has been notified of CloudSEK’s findings, but has not yet responded.