If you are tasked with pentesting Shopify stores owned by your company, you might be thinking about completely skipping a classic pentest. Because the stores are hosted, patched and controlled in the cloud by Shopify itself, the risk doesn’t seem instantly obvious. Apart from large internal security team, the company runs a very successful bug bounty program – so a huge crowd of specialists make sure your stores are safe.
In reality, there are several weak spots which may introduce vulnerabilities or render some of Shopify’s defence mechanisms useless.
The first potential weak spot is the configuration of the store and admin accounts – let’s skip it for now. The second weakness is custom HTML template, which may include external scripts (first step to Magecart-like attacks), or sometimes results in DOM-based XSS flaws. The third one is Shopify App Store.
While reviewing other weaknesses of the platform, we reported the following to Shopify (January 2021):
(Sequndant)When store administrators install a 3rd party application, they are presented with an information screen regarding the API permissions this application requests, for example: „this application will be able to manage products; this includes products and collections”. This allows administrators to assess the risk related to a given application and decide whether they want to grant it specific access. Because the 3rd party apps are not covered by some of the Shopify internal application security mechanisms (like secure development process), and the data that is processed by the store is sensitive (personal data, payment data, passwords), the API permission mechanism is an important security boundary. Unfortunately, it does not seem to work in reality.
Issue 2. Passwords and payment flow access
Issue 3. Misleading permission descriptions
The impact is similar to 2018 British Airways data breach: 3rd party applications have much wider access than their permissions show, including access to personal data, credit card numbers and passwords. In case any 3rd party application will be breached (which seems likely, considering the amount of vulnerabilities and lack of control from Shopify side), the store data can be breached as well. Due to Shopify defence mechanisms, the attack is more difficult to perform than a classic Magecart-like attack, but still realistic.
How to defend against this issue? The obvious solution is to strictly limit the external apps installed in your store. The other one is to tailor your store pentesting activities – instead of using your resources on pentesting Shopify core (done every day by dozens of specialists), make sure you cover every 3rd party application that has access to your data.