Over 40 lakh mobile users are at risk of hacking
Hardcoding the API key makes the key visible to anyone who has access to the code, including attackers or unauthorized users.
If an attacker gets access to the hardcoded key, they can use it to access sensitive data or perform actions on behalf of the program, even if they are not authorized to do so, security researchers said.
“The recent discovery of hard-coded Shopify keys in a number of Android apps is just another example of the lack of proper API security in the industry. This type of vulnerability exposes personal information of users, as well as transaction and order details, to potential attackers ,” said Vishal Singh, senior security engineer at CloudSEK.
Shopify is an e-commerce platform that allows individuals and businesses to create an online store to sell their products.
Over 4.4 million websites from more than 175 countries globally use Shopify.
With the ease of creating an online store, it also allows the integration of third-party apps and plugins to add additional functionality to the store. Shopify can be used to sell physical and digital products, and it also offers a point-of-sale system for brick-and-mortar stores.
“While this situation is not a limitation of the Shopify platform, it highlights the issue of API keys/tokens being leaked by app developers. As part of responsible disclosure, CloudSEK has notified Shopify and the affected apps of the hardcoded API keys,” said the firm.
The researchers found that of the total hard-coded keys, at least 18 keys allow viewing of customer-sensitive data, 7 API keys allow viewing/modification of gift cards, and 6 API keys allow retrieval of payment account information, including balances and withdrawals.
While the total number of downloads of these apps exceeds 182,000, the actual number of affected users is significantly more (over 40 lakh).
The API may also allow threat actors to view more detailed sensitive information about a particular customer ID.
“Using this API endpoint, a malicious actor could gain unauthorized access to bank transaction information such as credit/debit card details used by customers for purchases,” the report said.