>
Millions of Android e-commerce app users are at risk of their sensitive data being used by scammers, researchers claim.
A recent report from CloudSEK’s BeVigil says researchers discovered 21 ecommerce apps with 22 hard-coded Shopify API keys/tokens that can reveal personally identifiable information (PII) of approximately four million users.
“Hard-coding the API key makes the key visible to anyone with access to the code, including attackers or unauthorized users. If an attacker gains access to the hard-coded key, they can use it to access sensitive data or perform actions on behalf of the program, even if they are not authorized to do so,” the company said in a press release.
Creditcard information
Of the 22 hard-coded keys, at least 18 allow attackers to view sensitive customer data, the researchers further explained, adding that 7 API keys enable viewing and modification of gift cards and 6 API keys enable threat actors to steal payment account information.
The sensitive data includes the store owner’s name, email ID, website name, country, full address, phone number, and more. Customer past orders, as well as email marketing preferences, can also be obtained.
As for checking account information, attackers can gain access to banking transaction information, such as credit and debit card details that customers use to make purchases. BIN numbers, credit card end numbers, credit card company names, browser IPs, names on the credit cards, expiration dates and other sensitive data – all of them could be obtained.
To prove their point, the researchers shared store details about authentication using one of the exposed API keys.
The researchers also emphasized that this is not a mistake on Shopify’s part, but rather a broader issue of API keys and tokens being leaked by app developers.
Shopify is an ecommerce platform that helps businesses set up an online store quickly and easily. Today, more than four million websites have integrated Shopify into their online shopping experience, enabling visitors to purchase both physical and digital products.
Shopify has been notified of CloudSEK’s findings, but has yet to respond.