A plugin used by a number of popular eCommerce platforms has an over-sharing problem. Yopify is an eCommerce notification plugin used by a number of websites including BigCommerce, WooCommerce, Shopify, and LemonStand. It gives popup notifications about the latest 50 purchases made on a site for Shopify, BigCommerce and other platforms, leaks a significant amount of customers’ personal information to a determined attacker.
“Yopify works by having the e-commerce site load a JavaScript widget from the Yopify servers, which contains both the code to generate the UI element and the data used to populate it, stored as JSON. This widget does not require any authorization beyond a site-specific API key, which is embedded in the e-commerce site’s source code, and is easily extractable with a regular expression.”By scraping a client site to grab the API key and then simply running a curl command:
By scraping a client site to grab the API key and then simply running a curl command:
curl ‘https://yopify.com/api/yo/js/yo/3edb675e08e9c7fe22d243e44d184cdf/events.js?t=1490157080’
`3edb675e08e9c7fe22d243e44d184cdf` is the website ID and `t` value is the cache buster. An attacker can remotely obtain the data related to the last 50 buyers. This is refreshed as purchases are made. An attacker can vote every few hours for a few days/weeks/months and build up a database of an e-commerce site’s client set and associated buyers.
A patch has been released by Yopify on May 20.
