The app in duscission is Shopify dropshipping app called Topdser which is also the official partner dropshipping app of AliExpress.
A mainstream Shopify app was leaking sensitive data and as a result, thousands of customers were affected. The app exposed private data of Shopify customers, including credit card data and personal details.
The Origins of the Leak Unclear
VPNMentor researchers who identified the data aren’t 100% sure about the actual originating point of the data leak. However, as per the evidence they have found, Shopify dropshipping app Topdser caused the leak.
Topdser is quite similar to Oberlo app that connects Shopify websites with AliExpress and automates other business processes.
“In this case, we couldn’t conclude with 100% certainty that Topdser was responsible for the data leak, although there’s considerable evidence to suggest it was,” said vpnMentor’s blog post shared with Hackread.com
The links embedded in the data were directed to the website of Topdser as no other company can gain access or permissions required to create them.
Thousands of Shoppers Impacted
Researchers state that over 100,000 purchase data was compromised from more than 17,000 Shopify stores. Additionally, researchers revealed that the exposed data was around 13GB at the time of discovery, but on Shodan, the total size of data was 95+ GB.
Similarly, at the time of discovery, the researchers noted that the number of leaked records was 17.5 million; however, Shodan revealed that 23 million records were compromised in total. This means the data leak could have impacted roughly 80,000 to 100,000 customers.
Shopify has been Notified
VPNMentor team discovered the data leak on 21st Nov 2020 and immediately notified Shopify since the exposed data belonged to Shopify. However, it is worth noting that the company is not responsible for the leak.
The research team also contacted Topdser on the same day to close the vulnerability and secure the exposed data. The database was taken offline on 24h Nov 2020, but none of the companies responded or released an official statement.
This is a serious issue since the exposed data can be used to steal from or defraud thousands of Shopify shoppers worldwide.