Millions of users of Android e-commerce apps are at risk of sensitive data being accessed by scammers, researchers claim.
A recent report by CloudSEK’s BeVigil said that researchers found 21 e-commerce apps with 22 hard-coded Shopify API keys/tokens that potentially exposed the personally identifiable information of approximately 4 million users ( PII).
“By hardcoding an API key, the key can be seen by anyone with access to the code, including attackers or unauthorized users. If an attacker gains access to a hardcoded key, they It can be used to access sensitive data or perform actions on behalf of programs, even if they are not authorized to do so,” the company said in a release.
credit card information
The researchers further explained that at least 18 of the 22 hardcoded keys allowed attackers to view sensitive data belonging to customers, adding that seven API keys allowed viewing and modification of gift cards and six API keys allowed Attackers steal payment account information.
Sensitive data includes store owner name, email id, website name, country, full address, phone number, etc. Customers’ past orders and email marketing preferences are also available.
As for payment account information, threat actors have access to banking transaction information, such as credit and debit card details customers use to make purchases. BIN numbers, credit card ending numbers, credit card company names, browser IPs, names on credit cards, expiration dates, and other sensitive data—it’s all available.
To prove their point, the researchers shared store details about authentication using one of the publicly available API keys.
The researchers also emphasized that this was not an oversight on Shopify’s end, but rather a broader issue of app developers leaking API keys and tokens.
Shopify is an ecommerce platform that allows businesses to set up an online store quickly and easily. Today, more than 4 million websites have integrated Shopify into their online shopping experience, allowing visitors to buy both physical and digital products.
Shopify has been informed of CloudSEK’s findings, but has not yet responded.