Over 40 lakh mobile users at hacking risk from compromised Shopify API keys, Telecom News, ET Telecom

/in


New Delhi: Over 40 lakh mobile phone users’ sensitive data is at hacking risk after cyber security researchers on Friday uncovered a critical security flaw in Shopify application programming interface (API) keys/tokens.

Cyber-security company CloudSEK‘s BeVigil, a security search engine for mobile apps, uncovered the vulnerability that puts over 40 lakh mobile customers’ sensitive data at risk.

From the millions of Android apps, 21 e-commerce apps were identified to have 22 hardcoded Shopify API keys/tokens, exposing personally identifiable information (PII) to potential threats.

By hardcoding the API key, the key becomes visible to anyone who has access to the code, including attackers or unauthorised users.

If an attacker gains access to the hardcoded key, they can use it to access sensitive data or perform actions on behalf of the program, even if they are not authorised to do so, said security researchers.

“The recent discovery of hardcoded Shopify keys in numerous Android apps is just another example of the lack of proper API security in the industry. This type of vulnerability exposes the personal information of users, as well as transactional and order details, to potential attackers,” said Vishal Singh, senior security engineer at CloudSEK.

Shopify is an e-commerce platform that allows individuals and businesses to create an online store to sell their products.

Over 4.4 million websites from more than 175 countries globally use Shopify.

With the ease of creating an online store, it also allows the integration of third-party apps and plugins to add additional functionality to the store. Shopify can be used to sell physical and digital products, and it also offers a point-of-sale system for brick-and-mortar stores.

“While this situation is not a limitation of the Shopify platform, it highlights the issue of API keys/tokens being leaked by app developers. As part of responsible disclosure, CloudSEK has notified Shopify and the affected apps about the hardcoded API keys,” said the company.

The researchers found that of the total hardcoded keys, at least 18 keys allow viewing customer-sensitive data, 7 API keys allow viewing/modifying gift cards and 6 API keys allow obtaining payment…

Source…