Over 40 lakh mobile phone users' sensitive data is at hacking risk after cyber security researchers on Friday uncovered a critical security flaw in Shopify application programming interface (API) keys/tokens.
Cyber-security company CloudSEK's BeVigil, a security search engine for mobile apps, uncovered the vulnerability that puts over 40 lakh mobile customers' sensitive data at risk.
From the millions of Android apps, 21 e-commerce apps were identified to have 22 hardcoded Shopify API keys/tokens, exposing personally identifiable information (PII) to potential threats.
By hardcoding the API key, the key becomes visible to anyone who has access to the code, including attackers or unauthorised users.
If an attacker gains access to the hardcoded key, they can use it to access sensitive data or perform actions on behalf of the program, even if they are not authorised to do so, said security researchers.
"The recent discovery of hardcoded Shopify keys in numerous Android apps is just another example of the lack of proper API security in the industry. This type of vulnerability exposes the personal information of users, as well as transactional and order details, to potential attackers," said Vishal Singh, senior security engineer at CloudSEK.
Shopify is an e-commerce platform that allows individuals and businesses to create an online store to sell their products.
Over 4.4 million websites from more than 175 countries globally use Shopify.
With the ease of creating an online store, it also allows the integration of third-party apps and plugins to add additional functionality to the store. Shopify can be used to sell physical and digital products, and it also offers a point-of-sale system for brick-and-mortar stores.
"While this situation is not a limitation of the Shopify platform, it highlights the issue of API keys/tokens being leaked by app developers. As part of responsible disclosure, CloudSEK has notified Shopify and the affected apps about the hardcoded API keys," said the company.
The researchers found that of the total hardcoded keys, at least 18 keys allow viewing customer-sensitive data, 7 API keys allow viewing/modifying gift cards and 6 API keys allow obtaining payment account information, including balances and payouts.
While the total number of downloads of these apps exceeds 182K, the actual number of impacted users is significantly more (over 40 lakh).
The API can also allow threat actors to view more detailed sensitive information about a particular customer ID.
"Using this API endpoint, an actor with malicious intent could gain unauthorized access to banking transaction information such as credit/debit card details used by customers for purchases," said the report.