Over 40 lakh mobile users are at risk of hacking

Over 40 lakh mobile users are at risk of hacking

New Delhi: Over 40 lakh mobile phone users’ sensitive data is at risk of hacking after cyber security researchers on Friday uncovered a critical security flaw in Shopify application programming interface (API) keys/tokens.
Cyber ​​security company CloudSEK‘s BeVigil, a mobile app security search engine, uncovered the vulnerability that puts over 40 lakh mobile customers’ sensitive data at risk.

From millions of Android apps, 21 e-commerce apps were identified as having 22 hardcoded Shopify API keys/tokens, exposes personally identifiable information (PII) to potential threats.

Hardcoding the API key makes the key visible to anyone who has access to the code, including attackers or unauthorized users.


If an attacker gets access to the hardcoded key, they can use it to access sensitive data or perform actions on behalf of the program, even if they are not authorized to do so, security researchers said.

“The recent discovery of hard-coded Shopify keys in a number of Android apps is just another example of the lack of proper API security in the industry. This type of vulnerability exposes personal information of users, as well as transaction and order details, to potential attackers ,” said Vishal Singh, senior security engineer at CloudSEK.

Shopify is an e-commerce platform that allows individuals and businesses to create an online store to sell their products.

Over 4.4 million websites from more than 175 countries globally use Shopify.

With the ease of creating an online store, it also allows the integration of third-party apps and plugins to add additional functionality to the store. Shopify can be used to sell physical and digital products, and it also offers a point-of-sale system for brick-and-mortar stores.

See also  Red card for privacy. Update on the Medibank breach. GAO report shows rise in personal data leaks at DoD. Twitter shake-up raises security concerns.

“While this situation is not a limitation of the Shopify platform, it highlights the issue of API keys/tokens being leaked by app developers. As part of responsible disclosure, CloudSEK has notified Shopify and the affected apps of the hardcoded API keys,” said the firm.

The researchers found that of the total hard-coded keys, at least 18 keys allow viewing of customer-sensitive data, 7 API keys allow viewing/modification of gift cards, and 6 API keys allow retrieval of payment account information, including balances and withdrawals.

While the total number of downloads of these apps exceeds 182,000, the actual number of affected users is significantly more (over 40 lakh).

The API may also allow threat actors to view more detailed sensitive information about a particular customer ID.

“Using this API endpoint, a malicious actor could gain unauthorized access to bank transaction information such as credit/debit card details used by customers for purchases,” the report said.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *