{"id":347,"date":"2023-02-10T06:16:47","date_gmt":"2023-02-10T06:16:47","guid":{"rendered":"https:\/\/bevigil.com\/blog\/?p=347"},"modified":"2023-02-10T06:20:09","modified_gmt":"2023-02-10T06:20:09","slug":"bevigil-exposes-mobile-app-danger-over-4-million-users-globally-at-risk-from-hardcoded-shopify-tokens","status":"publish","type":"post","link":"https:\/\/bevigil.com\/blog\/bevigil-exposes-mobile-app-danger-over-4-million-users-globally-at-risk-from-hardcoded-shopify-tokens\/","title":{"rendered":"<strong>BeVigil Exposes Mobile App Danger: Over 4 Million Users Globally at Risk from Hardcoded Shopify Tokens<\/strong>"},"content":{"rendered":"<p><strong>Author: <\/strong><a href=\"https:\/\/www.linkedin.com\/in\/hacback17\/\"><strong>Bablu Kumar <\/strong><\/a><\/p>\n<p><strong>Co-authors: <\/strong><a href=\"https:\/\/www.linkedin.com\/in\/umvishal\/\"><strong>Vishal Singh<\/strong><\/a><strong>, <\/strong><a href=\"https:\/\/www.linkedin.com\/in\/arshit-jain-841aa2153\/\"><strong>Arshit Jain<\/strong><\/a><strong> and <a href=\"mailto:mayank.pandey@cloudsek.com\">Mayank Pandey<\/a><\/strong><\/p>\n<h2><a id=\"post-347-_muvagycl1q3m\"><\/a>Introduction<\/h2>\n<p>CloudSEK\u2019s <a href=\"https:\/\/bevigil.com\/\">BeVigil<\/a>, the world\u2019s first security search engine for mobile apps, uncovered a critical security flaw in the mobile app industry. From the millions of Android apps indexed on BeVigil, 21 apps were identified to have 22 hardcoded Shopify API keys\/tokens, exposing personally identifiable information (PII) to potential threats. These apps put close to 4 million users worldwide at risk, with shopping being the most affected category. Unfortunately, this vulnerability is not uncommon as this is another instance of passive API security found by the BeVigil team (see our recent coverage on <a href=\"https:\/\/cloudsek.com\/whitepapers-reports\/hardcoded-api-keys-of-email-marketing-services-puts-54m-mobile-app-users-at-risk\">email marketing API key leak putting 54 Million+ users at risk<\/a> where we also highlight the secure coding best practices and <a href=\"https:\/\/bevigil.com\/blog\/exposed-payment-integration-api-keys-imperil-millions-of-users-transaction-details-and-pii\/\">Razorpay disclosure<\/a>).<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"2048\" height=\"1048\" class=\"wp-image-348\" src=\"http:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-1.png\" srcset=\"https:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-1.png 2048w, https:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-1-300x154.png 300w, https:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-1-1024x524.png 1024w, https:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-1-768x393.png 768w, https:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-1-1536x786.png 1536w\" sizes=\"(max-width: 2048px) 100vw, 2048px\" \/><\/p>\n<p>Shopify is an e-commerce platform that allows individuals and businesses to create an online store to sell their products. <a href=\"https:\/\/trends.builtwith.com\/shop\/Shopify\">Over 4.4 million websites<\/a> from more than 175 countries globally use Shopify as of 2023. With the ease of creating an online store, it also allows the integration of third-party apps and plugins to add additional functionality to the store. Shopify can be used to sell physical and digital products, and it also offers a point-of-sale system for brick-and-mortar stores.<\/p>\n<p>Shopify provides several types of tokens that can be used for development. The type of token used depends on the specific development task and the level of access needed to the Shopify store data. We shall look at these tokens in particular:<\/p>\n<ul>\n<li><strong>Shopify API Key<\/strong>: It is used to identify the app or integration that is making API calls. The API Key is generated when you create an app in the Shopify Partner Dashboard.<\/li>\n<li><strong>Shopify Access Token<\/strong>: It is used to authenticate API requests. An Access Token is generated when a user authorizes an app to access their shop data. It is used to perform read-and-write operations on the shop&#8217;s resources such as products, customers, and orders.<\/li>\n<li><strong>Shopify Private Access Token<\/strong>: It is similar to the Access Token, but it has higher privileges, allowing an app to perform sensitive operations such as creating and updating themes and fulfilling orders. The Private Access Token is generated in the Shopify Partner Dashboard and should be kept secure.<\/li>\n<\/ul>\n<h1><\/h1>\n<p><strong>Note: While this situation is not a limitation of the Shopify platform, it highlights the issue of API keys\/tokens being leaked by app developers.<\/strong><\/p>\n<h2><a id=\"post-347-_2fn233k6ghlj\"><\/a><strong>Analysis of Hardcoded Shopify Tokens<\/strong><\/h2>\n<p>Whenever a user submits an Android app for scanning, it gets indexed in the BeVigil search engine, along with all the popular apps submitted by other users. Our security research team used specialized Shopify Admin Key regexes to identify hardcoded secrets and tokens.<\/p>\n<h3><a id=\"post-347-_ozaufny1afo8\"><\/a>Interesting Findings from BeVigil<\/h3>\n<ul>\n<li>1,550 apps leaked <a href=\"https:\/\/cloudsek.com\/whitepapers_reports\/hardcoded-algolia-api-keys-could-be-exploited-by-threat-actors-to-steal-millions-of-users-data\/\">Algolia API keys<\/a>, out of which 32 apps contained hardcoded keys.<\/li>\n<li>3,207 apps are leaking <a href=\"https:\/\/cloudsek.com\/whitepapers_reports\/how-leaked-twitter-api-keys-can-be-used-to-build-a-bot-army\/\">Twitter API keys<\/a> that can be used to gain access\/take over Twitter accounts.<\/li>\n<li>0.5% of mobile apps expose <a href=\"https:\/\/cloudsek.com\/whitepapers_reports\/mobile-apps-exposing-aws-keys-affect-100m-users-data\/\">AWS API keys<\/a>, thereby risking their internal networks and data.<\/li>\n<li>50% of the 600 analyzed apps were found to be leaking API keys of three well-known email service providers, <a href=\"https:\/\/cloudsek.com\/whitepapers-reports\/hardcoded-api-keys-of-email-marketing-services-puts-54m-mobile-app-users-at-risk\">Mailgun, MailChimp, and Sendgrid, putting over 54 million users at risk<\/a>.<\/li>\n<\/ul>\n<p><strong>Note: For more such interesting findings, you can use <\/strong><a href=\"https:\/\/play.google.com\/store\/apps\/details?id=com.cloudsek.bevigil\"><strong>CloudSEK\u2019s BeVigil mobile application<\/strong><\/a><strong> to assess these vulnerabilities of Android apps. Some of the salient features:<\/strong><\/p>\n<ul>\n<li>Find security scores of more than 1 million apps<\/li>\n<li>Receive real-time notifications for new apps as to how safe they are<\/li>\n<li>Monitor and control critical permissions and more<\/li>\n<\/ul>\n<figure id=\"attachment_349\" aria-describedby=\"caption-attachment-349\" style=\"width: 798px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-349\" src=\"http:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-2.png\" alt=\"CloudSEK\u2019s BeVigil mobile app\" width=\"808\" height=\"1440\" srcset=\"https:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-2.png 808w, https:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-2-168x300.png 168w, https:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-2-575x1024.png 575w, https:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-2-768x1369.png 768w\" sizes=\"(max-width: 808px) 100vw, 808px\" \/><figcaption id=\"caption-attachment-349\" class=\"wp-caption-text\">CloudSEK\u2019s BeVigil mobile app<\/figcaption><\/figure>\n<h3><a id=\"post-347-_q1zaj0fh98ed\"><\/a><strong>Authentication<\/strong><\/h3>\n<p>All REST Admin API queries require a valid Shopify access token. Using the hardcoded access token, threat actors can get shop details along with sensitive information such as the shop owner&#8217;s name, email ID, website name, country, complete address, phone number, etc. For the proof-of-concept, the researchers got shop details on authentication using one of the exposed API keys.<\/p>\n<figure id=\"attachment_350\" aria-describedby=\"caption-attachment-350\" style=\"width: 700px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-350\" src=\"http:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-3.png\" alt=\"Authenticated token exposes shop details\" width=\"710\" height=\"509\" srcset=\"https:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-3.png 710w, https:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-3-300x215.png 300w\" sizes=\"(max-width: 710px) 100vw, 710px\" \/><figcaption id=\"caption-attachment-350\" class=\"wp-caption-text\">Authenticated token exposes shop details<\/figcaption><\/figure>\n<h3><a id=\"post-347-_991wapas8lsr\"><\/a>Access Scopes<\/h3>\n<p>The Access Scope resource allows you to retrieve the permissions that a merchant has granted to an app, such as <strong>read_orders <\/strong>and <strong>write_products<\/strong>. These permissions allow apps to access data from a shop, and are granted when a merchant installs the app or updates an existing installation of the app. Threat actors can orchestrate their attacks and exfiltrate data based on the granted permissions.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"628\" height=\"79\" class=\"wp-image-351\" src=\"http:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-4.png\" srcset=\"https:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-4.png 628w, https:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-4-300x38.png 300w\" sizes=\"(max-width: 628px) 100vw, 628px\" \/><\/p>\n<figure id=\"attachment_352\" aria-describedby=\"caption-attachment-352\" style=\"width: 525px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-352\" src=\"http:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-5.png\" alt=\"Access scopes retrieved based on the access token\" width=\"535\" height=\"346\" srcset=\"https:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-5.png 535w, https:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-5-300x194.png 300w\" sizes=\"(max-width: 535px) 100vw, 535px\" \/><figcaption id=\"caption-attachment-352\" class=\"wp-caption-text\">Access scopes retrieved based on the access token<\/figcaption><\/figure>\n<h3><a id=\"post-347-_dru7my8f981w\"><\/a>API Key Exposing Customer Data<\/h3>\n<p>The Customer resource stores valuable information regarding a shop&#8217;s customers, including their <strong>contact information<\/strong>, <strong>past orders<\/strong>, and email marketing preferences.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"941\" height=\"136\" class=\"wp-image-353\" src=\"http:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-6.png\" srcset=\"https:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-6.png 941w, https:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-6-300x43.png 300w, https:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-6-768x111.png 768w\" sizes=\"(max-width: 941px) 100vw, 941px\" \/><\/p>\n<figure id=\"attachment_354\" aria-describedby=\"caption-attachment-354\" style=\"width: 581px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-354\" src=\"http:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-7.png\" alt=\"Customer resource exposing order details\" width=\"591\" height=\"493\" srcset=\"https:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-7.png 591w, https:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-7-300x250.png 300w\" sizes=\"(max-width: 591px) 100vw, 591px\" \/><figcaption id=\"caption-attachment-354\" class=\"wp-caption-text\">Customer resource exposing order details<\/figcaption><\/figure>\n<p>Furthermore, the API can also allow threat actors to view more detailed sensitive information about a particular customer ID.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"941\" height=\"133\" class=\"wp-image-355\" src=\"http:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-8.png\" srcset=\"https:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-8.png 941w, https:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-8-300x42.png 300w, https:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-8-768x109.png 768w\" sizes=\"(max-width: 941px) 100vw, 941px\" \/><\/p>\n<figure id=\"attachment_356\" aria-describedby=\"caption-attachment-356\" style=\"width: 667px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-356\" src=\"http:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-9.png\" alt=\"Sensitive information of the customer\" width=\"677\" height=\"686\" srcset=\"https:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-9.png 677w, https:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-9-296x300.png 296w\" sizes=\"(max-width: 677px) 100vw, 677px\" \/><figcaption id=\"caption-attachment-356\" class=\"wp-caption-text\">Sensitive information of the customer<\/figcaption><\/figure>\n<h2><\/h2>\n<h3><a id=\"post-347-_m5p4acrpclqo\"><\/a>Exposing Order Details<\/h3>\n<p>An order is a customer&#8217;s request to purchase one or more products from a shop. You can create, retrieve, update, and delete orders using the Order resource. The endpoint fetches the email ID, date, amount, etc.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"941\" height=\"106\" class=\"wp-image-357\" src=\"http:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-10.png\" srcset=\"https:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-10.png 941w, https:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-10-300x34.png 300w, https:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-10-768x87.png 768w\" sizes=\"(max-width: 941px) 100vw, 941px\" \/><\/p>\n<figure id=\"attachment_358\" aria-describedby=\"caption-attachment-358\" style=\"width: 678px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-358\" src=\"http:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-11.png\" alt=\"Customer order details\" width=\"688\" height=\"610\" srcset=\"https:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-11.png 688w, https:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-11-300x266.png 300w\" sizes=\"(max-width: 688px) 100vw, 688px\" \/><figcaption id=\"caption-attachment-358\" class=\"wp-caption-text\">Customer order details<\/figcaption><\/figure>\n<h3><a id=\"post-347-_u7pq13ikiluj\"><\/a>Exposing Card Details<\/h3>\n<p>Using this API endpoint, an actor with malicious intent could gain unauthorized access to banking transaction information such as credit\/debit card details used by customers for purchases.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"939\" height=\"104\" class=\"wp-image-359\" src=\"http:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-12.png\" srcset=\"https:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-12.png 939w, https:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-12-300x33.png 300w, https:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-12-768x85.png 768w\" sizes=\"(max-width: 939px) 100vw, 939px\" \/><\/p>\n<p>The compromised data include the BIN number, credit card ending number, credit card company, browser IP, name on the credit card, expiration month and year, etc.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"975\" height=\"550\" class=\"wp-image-360\" src=\"http:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-13.png\" srcset=\"https:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-13.png 975w, https:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-13-300x169.png 300w, https:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-13-768x433.png 768w\" sizes=\"(max-width: 975px) 100vw, 975px\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"802\" height=\"327\" class=\"wp-image-361\" src=\"http:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-14.png\" srcset=\"https:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-14.png 802w, https:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-14-300x122.png 300w, https:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-14-768x313.png 768w\" sizes=\"(max-width: 802px) 100vw, 802px\" \/><\/p>\n<figure id=\"attachment_362\" aria-describedby=\"caption-attachment-362\" style=\"width: 505px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-362\" src=\"http:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-15.png\" alt=\"Exposing credit card details\" width=\"515\" height=\"200\" srcset=\"https:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-15.png 515w, https:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-15-300x117.png 300w\" sizes=\"(max-width: 515px) 100vw, 515px\" \/><figcaption id=\"caption-attachment-362\" class=\"wp-caption-text\">Exposing credit card details<\/figcaption><\/figure>\n<h2><a id=\"post-347-_yje40uymisa1\"><\/a><strong>Conclusion<\/strong><\/h2>\n<p>The recent discovery of hardcoded Shopify keys in numerous Android apps is just another example of the lack of proper API security in the industry. This type of vulnerability exposes the personal information of users, as well as transactional and order details, to potential attackers. The impacts of these secret tokens are critical and not just limited to:<\/p>\n<ul>\n<li>Access to customers\u2019 personal data that includes first name, last name, full address, phone number, country name, province name, city, province, email address, credit card details, etc.<\/li>\n<li>Access to write discounts that will allow an attacker to set a 100% discount on a product and in that case, the product would be almost free.<\/li>\n<li>Access to write price rules like creating a price rule that gives the buyer $100.00 off an order.<\/li>\n<li>Access to all the order details placed on that Shopify store.<\/li>\n<li>Access to create orders on Shopify Store.<\/li>\n<\/ul>\n<h2><a id=\"post-347-_99hthal94xwa\"><\/a><strong>References<\/strong><\/h2>\n<ul>\n<li><a href=\"https:\/\/cloudsek.com\/whitepapers_reports\/hardcoded-algolia-api-keys-could-be-exploited-by-threat-actors-to-steal-millions-of-users-data\/\">Hardcoded Algolia API Keys Could be Exploited by Threat Actors to Steal Millions of Users\u2019 Data<\/a><\/li>\n<li><a href=\"https:\/\/cloudsek.com\/whitepapers_reports\/mobile-apps-exposing-aws-keys-affect-100m-users-data\/\">Mobile Apps Exposing AWS Keys Affect 100M+ Users\u2019 Data <\/a><\/li>\n<li><a href=\"https:\/\/cloudsek.com\/whitepapers-reports\/hardcoded-api-keys-of-email-marketing-services-puts-54m-mobile-app-users-at-risk\">Hardcoded API Keys of Email Marketing Services Puts 54M+ Mobile App Users at Risk<\/a><\/li>\n<\/ul>\n<h2><a id=\"post-347-_8qbszskg59lh\"><\/a>Appendix<\/h2>\n<figure id=\"attachment_363\" aria-describedby=\"caption-attachment-363\" style=\"width: 1190px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-363\" src=\"http:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/chart.png\" alt=\"Distribution of affected applications across PlayStore categories\" width=\"1200\" height=\"742\" srcset=\"https:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/chart.png 1200w, https:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/chart-300x186.png 300w, https:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/chart-1024x633.png 1024w, https:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/chart-768x475.png 768w\" sizes=\"(max-width: 1200px) 100vw, 1200px\" \/><figcaption id=\"caption-attachment-363\" class=\"wp-caption-text\">Distribution of affected applications across PlayStore categories<\/figcaption><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>CloudSEK\u2019s BeVigil, the world\u2019s first security search engine for mobile apps, uncovered a critical security flaw in the mobile app industry.<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[18],"tags":[26],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>BeVigil Exposes Mobile App Danger: Over 4 Million Users Globally at Risk from Hardcoded Shopify Tokens - BeVigil Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/bevigil.com\/blog\/bevigil-exposes-mobile-app-danger-over-4-million-users-globally-at-risk-from-hardcoded-shopify-tokens\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"BeVigil Exposes Mobile App Danger: Over 4 Million Users Globally at Risk from Hardcoded Shopify Tokens - BeVigil Blog\" \/>\n<meta property=\"og:description\" content=\"CloudSEK\u2019s BeVigil, the world\u2019s first security search engine for mobile apps, uncovered a critical security flaw in the mobile app industry.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/bevigil.com\/blog\/bevigil-exposes-mobile-app-danger-over-4-million-users-globally-at-risk-from-hardcoded-shopify-tokens\/\" \/>\n<meta property=\"og:site_name\" content=\"BeVigil Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/facebook.com\/cloudsek\" \/>\n<meta property=\"article:published_time\" content=\"2023-02-10T06:16:47+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-02-10T06:20:09+00:00\" \/>\n<meta property=\"og:image\" content=\"http:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-1.png\" \/>\n<meta name=\"author\" content=\"BeVigil\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@cloudsek\" \/>\n<meta name=\"twitter:site\" content=\"@cloudsek\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"BeVigil\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/bevigil.com\/blog\/bevigil-exposes-mobile-app-danger-over-4-million-users-globally-at-risk-from-hardcoded-shopify-tokens\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/bevigil.com\/blog\/bevigil-exposes-mobile-app-danger-over-4-million-users-globally-at-risk-from-hardcoded-shopify-tokens\/\"},\"author\":{\"name\":\"BeVigil\",\"@id\":\"https:\/\/bevigil.com\/blog\/#\/schema\/person\/815673cb0715af9f571f14d6ffc36a87\"},\"headline\":\"BeVigil Exposes Mobile App Danger: Over 4 Million Users Globally at Risk from Hardcoded Shopify Tokens\",\"datePublished\":\"2023-02-10T06:16:47+00:00\",\"dateModified\":\"2023-02-10T06:20:09+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/bevigil.com\/blog\/bevigil-exposes-mobile-app-danger-over-4-million-users-globally-at-risk-from-hardcoded-shopify-tokens\/\"},\"wordCount\":1140,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/bevigil.com\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/bevigil.com\/blog\/bevigil-exposes-mobile-app-danger-over-4-million-users-globally-at-risk-from-hardcoded-shopify-tokens\/#primaryimage\"},\"thumbnailUrl\":\"http:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-1.png\",\"keywords\":[\"API keys\"],\"articleSection\":[\"Android Security\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/bevigil.com\/blog\/bevigil-exposes-mobile-app-danger-over-4-million-users-globally-at-risk-from-hardcoded-shopify-tokens\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/bevigil.com\/blog\/bevigil-exposes-mobile-app-danger-over-4-million-users-globally-at-risk-from-hardcoded-shopify-tokens\/\",\"url\":\"https:\/\/bevigil.com\/blog\/bevigil-exposes-mobile-app-danger-over-4-million-users-globally-at-risk-from-hardcoded-shopify-tokens\/\",\"name\":\"BeVigil Exposes Mobile App Danger: Over 4 Million Users Globally at Risk from Hardcoded Shopify Tokens - BeVigil Blog\",\"isPartOf\":{\"@id\":\"https:\/\/bevigil.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/bevigil.com\/blog\/bevigil-exposes-mobile-app-danger-over-4-million-users-globally-at-risk-from-hardcoded-shopify-tokens\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/bevigil.com\/blog\/bevigil-exposes-mobile-app-danger-over-4-million-users-globally-at-risk-from-hardcoded-shopify-tokens\/#primaryimage\"},\"thumbnailUrl\":\"http:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-1.png\",\"datePublished\":\"2023-02-10T06:16:47+00:00\",\"dateModified\":\"2023-02-10T06:20:09+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/bevigil.com\/blog\/bevigil-exposes-mobile-app-danger-over-4-million-users-globally-at-risk-from-hardcoded-shopify-tokens\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/bevigil.com\/blog\/bevigil-exposes-mobile-app-danger-over-4-million-users-globally-at-risk-from-hardcoded-shopify-tokens\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/bevigil.com\/blog\/bevigil-exposes-mobile-app-danger-over-4-million-users-globally-at-risk-from-hardcoded-shopify-tokens\/#primaryimage\",\"url\":\"https:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-1.png\",\"contentUrl\":\"https:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-1.png\",\"width\":2048,\"height\":1048},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/bevigil.com\/blog\/bevigil-exposes-mobile-app-danger-over-4-million-users-globally-at-risk-from-hardcoded-shopify-tokens\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/bevigil.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"BeVigil Exposes Mobile App Danger: Over 4 Million Users Globally at Risk from Hardcoded Shopify Tokens\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/bevigil.com\/blog\/#website\",\"url\":\"https:\/\/bevigil.com\/blog\/\",\"name\":\"BeVigil Blog\",\"description\":\"Security disclosures, News and Guides\",\"publisher\":{\"@id\":\"https:\/\/bevigil.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/bevigil.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/bevigil.com\/blog\/#organization\",\"name\":\"BeVigil Blog\",\"url\":\"https:\/\/bevigil.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/bevigil.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/bevigil.com\/blog\/wp-content\/uploads\/2022\/01\/cropped-bevigil-logo.png\",\"contentUrl\":\"https:\/\/bevigil.com\/blog\/wp-content\/uploads\/2022\/01\/cropped-bevigil-logo.png\",\"width\":400,\"height\":400,\"caption\":\"BeVigil Blog\"},\"image\":{\"@id\":\"https:\/\/bevigil.com\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/facebook.com\/cloudsek\",\"https:\/\/x.com\/cloudsek\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/bevigil.com\/blog\/#\/schema\/person\/815673cb0715af9f571f14d6ffc36a87\",\"name\":\"BeVigil\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/bevigil.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/5b002b2a9b6222b970f73ce6beab539e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/5b002b2a9b6222b970f73ce6beab539e?s=96&d=mm&r=g\",\"caption\":\"BeVigil\"},\"sameAs\":[\"https:\/\/bevigil.com\/\"],\"url\":\"https:\/\/bevigil.com\/blog\/author\/bevigil\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"BeVigil Exposes Mobile App Danger: Over 4 Million Users Globally at Risk from Hardcoded Shopify Tokens - BeVigil Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/bevigil.com\/blog\/bevigil-exposes-mobile-app-danger-over-4-million-users-globally-at-risk-from-hardcoded-shopify-tokens\/","og_locale":"en_US","og_type":"article","og_title":"BeVigil Exposes Mobile App Danger: Over 4 Million Users Globally at Risk from Hardcoded Shopify Tokens - BeVigil Blog","og_description":"CloudSEK\u2019s BeVigil, the world\u2019s first security search engine for mobile apps, uncovered a critical security flaw in the mobile app industry.","og_url":"https:\/\/bevigil.com\/blog\/bevigil-exposes-mobile-app-danger-over-4-million-users-globally-at-risk-from-hardcoded-shopify-tokens\/","og_site_name":"BeVigil Blog","article_publisher":"https:\/\/facebook.com\/cloudsek","article_published_time":"2023-02-10T06:16:47+00:00","article_modified_time":"2023-02-10T06:20:09+00:00","og_image":[{"url":"http:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-1.png","type":"","width":"","height":""}],"author":"BeVigil","twitter_card":"summary_large_image","twitter_creator":"@cloudsek","twitter_site":"@cloudsek","twitter_misc":{"Written by":"BeVigil","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/bevigil.com\/blog\/bevigil-exposes-mobile-app-danger-over-4-million-users-globally-at-risk-from-hardcoded-shopify-tokens\/#article","isPartOf":{"@id":"https:\/\/bevigil.com\/blog\/bevigil-exposes-mobile-app-danger-over-4-million-users-globally-at-risk-from-hardcoded-shopify-tokens\/"},"author":{"name":"BeVigil","@id":"https:\/\/bevigil.com\/blog\/#\/schema\/person\/815673cb0715af9f571f14d6ffc36a87"},"headline":"BeVigil Exposes Mobile App Danger: Over 4 Million Users Globally at Risk from Hardcoded Shopify Tokens","datePublished":"2023-02-10T06:16:47+00:00","dateModified":"2023-02-10T06:20:09+00:00","mainEntityOfPage":{"@id":"https:\/\/bevigil.com\/blog\/bevigil-exposes-mobile-app-danger-over-4-million-users-globally-at-risk-from-hardcoded-shopify-tokens\/"},"wordCount":1140,"commentCount":0,"publisher":{"@id":"https:\/\/bevigil.com\/blog\/#organization"},"image":{"@id":"https:\/\/bevigil.com\/blog\/bevigil-exposes-mobile-app-danger-over-4-million-users-globally-at-risk-from-hardcoded-shopify-tokens\/#primaryimage"},"thumbnailUrl":"http:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-1.png","keywords":["API keys"],"articleSection":["Android Security"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/bevigil.com\/blog\/bevigil-exposes-mobile-app-danger-over-4-million-users-globally-at-risk-from-hardcoded-shopify-tokens\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/bevigil.com\/blog\/bevigil-exposes-mobile-app-danger-over-4-million-users-globally-at-risk-from-hardcoded-shopify-tokens\/","url":"https:\/\/bevigil.com\/blog\/bevigil-exposes-mobile-app-danger-over-4-million-users-globally-at-risk-from-hardcoded-shopify-tokens\/","name":"BeVigil Exposes Mobile App Danger: Over 4 Million Users Globally at Risk from Hardcoded Shopify Tokens - BeVigil Blog","isPartOf":{"@id":"https:\/\/bevigil.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/bevigil.com\/blog\/bevigil-exposes-mobile-app-danger-over-4-million-users-globally-at-risk-from-hardcoded-shopify-tokens\/#primaryimage"},"image":{"@id":"https:\/\/bevigil.com\/blog\/bevigil-exposes-mobile-app-danger-over-4-million-users-globally-at-risk-from-hardcoded-shopify-tokens\/#primaryimage"},"thumbnailUrl":"http:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-1.png","datePublished":"2023-02-10T06:16:47+00:00","dateModified":"2023-02-10T06:20:09+00:00","breadcrumb":{"@id":"https:\/\/bevigil.com\/blog\/bevigil-exposes-mobile-app-danger-over-4-million-users-globally-at-risk-from-hardcoded-shopify-tokens\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/bevigil.com\/blog\/bevigil-exposes-mobile-app-danger-over-4-million-users-globally-at-risk-from-hardcoded-shopify-tokens\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/bevigil.com\/blog\/bevigil-exposes-mobile-app-danger-over-4-million-users-globally-at-risk-from-hardcoded-shopify-tokens\/#primaryimage","url":"https:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-1.png","contentUrl":"https:\/\/bevigil.com\/blog\/wp-content\/uploads\/2023\/02\/word-image-347-1.png","width":2048,"height":1048},{"@type":"BreadcrumbList","@id":"https:\/\/bevigil.com\/blog\/bevigil-exposes-mobile-app-danger-over-4-million-users-globally-at-risk-from-hardcoded-shopify-tokens\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/bevigil.com\/blog\/"},{"@type":"ListItem","position":2,"name":"BeVigil Exposes Mobile App Danger: Over 4 Million Users Globally at Risk from Hardcoded Shopify Tokens"}]},{"@type":"WebSite","@id":"https:\/\/bevigil.com\/blog\/#website","url":"https:\/\/bevigil.com\/blog\/","name":"BeVigil Blog","description":"Security disclosures, News and Guides","publisher":{"@id":"https:\/\/bevigil.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/bevigil.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/bevigil.com\/blog\/#organization","name":"BeVigil Blog","url":"https:\/\/bevigil.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/bevigil.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/bevigil.com\/blog\/wp-content\/uploads\/2022\/01\/cropped-bevigil-logo.png","contentUrl":"https:\/\/bevigil.com\/blog\/wp-content\/uploads\/2022\/01\/cropped-bevigil-logo.png","width":400,"height":400,"caption":"BeVigil Blog"},"image":{"@id":"https:\/\/bevigil.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/facebook.com\/cloudsek","https:\/\/x.com\/cloudsek"]},{"@type":"Person","@id":"https:\/\/bevigil.com\/blog\/#\/schema\/person\/815673cb0715af9f571f14d6ffc36a87","name":"BeVigil","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/bevigil.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/5b002b2a9b6222b970f73ce6beab539e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/5b002b2a9b6222b970f73ce6beab539e?s=96&d=mm&r=g","caption":"BeVigil"},"sameAs":["https:\/\/bevigil.com\/"],"url":"https:\/\/bevigil.com\/blog\/author\/bevigil\/"}]}},"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/bevigil.com\/blog\/wp-json\/wp\/v2\/posts\/347"}],"collection":[{"href":"https:\/\/bevigil.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bevigil.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bevigil.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/bevigil.com\/blog\/wp-json\/wp\/v2\/comments?post=347"}],"version-history":[{"count":4,"href":"https:\/\/bevigil.com\/blog\/wp-json\/wp\/v2\/posts\/347\/revisions"}],"predecessor-version":[{"id":461,"href":"https:\/\/bevigil.com\/blog\/wp-json\/wp\/v2\/posts\/347\/revisions\/461"}],"wp:attachment":[{"href":"https:\/\/bevigil.com\/blog\/wp-json\/wp\/v2\/media?parent=347"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bevigil.com\/blog\/wp-json\/wp\/v2\/categories?post=347"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bevigil.com\/blog\/wp-json\/wp\/v2\/tags?post=347"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}