← All Blogs

InterSources Inc. Successfully Identifies API Vulnerability in Shopify VDP Program

We at InterSources Inc. actively participated in a Vulnerability Disclosure Program (VDP) and uncovered a critical flaw in Shopify's API that allowed unauthorized access to sensitive gift card data. This case study highlights the methodologies, findings, and security improvements achieved by InterSources Inc, while contributing to Shopify's robust security posture.

Background

Our security team conducted an audit on a client's eCommerce platform, when the exploit was discovered. The exploit is Shopify's/admin/api/xyz/cardql endpoint facilitates server-side resource queries.

Vulnerability Details

The vulnerability improperly allows a person to view sensitive gift card data, in fact, it allows for unauthorized staff members to generate the requests. Despite UL restrictions preventing access, the API misconfiguration allows the exploitation when specific queries are manipulated.

Endpoint: /admin/api/xyz/cardql

Exploitable by: Unauthorized staff users
Impacted Data: Gift card codes, balances, and IDs
Root Cause: Insufficient authorization checks within the API resolver logic

Testing Methodology

The InterSources team uses A/B security testing to uncover the vulnerability. Two accounts were set up (A) Sara who was the admin, and (B) Bob: who did not have gift card access.

Baseline tests validated their permissions. Then InterSources submitted manipulated queries with malicious payloads that bypassed the Shopify security.

The new query exposed 'gift card codes', 'gift card balances', and even the 'gift card's ID#."

Technical Insights

Default Query

The default query sent by the app:

Response: Access Denied.

Modified Query

The query was modified to include a code variable:

Response:

Json

This unauthorized response revealed sensitive information about the gift cards.

InterSources Contacts Shopify for Next Steps

InterSources reached out to Shopify and discussed the exploit. Shopify validated our vulnerability findings, and it was demonstrated that there was a broader systemic breach needing patching.

Security Impact

Exploiting this vulnerability could result in:

Financial Loss: Unauthorized usage or distribution of gift cards.
RBAC Breach: Undermining Shopify’s role-based access control system.
Reputational Damage: Loss of trust among Shopify merchants and users.

Recommendations to Prevent in the Future

1. Move to Strict Authorization Checks: Enforce server-side role verification for all API endpoints

2. Query Validation: Server-side should reject unauthorized or unexpected query variables.

3. Audit and Monitoring: Enable detailed logging for abnormal API query behavior to detect abuse patterns.

4. Regular Penetration Testing: Conduct comprehensive API penetration tests regularly,

Our Value Promise

InterSources' team can successfully bring you confidence that your environment is secure. Our framework ensures that the details are not missed, and every stone is uncovered. Explore more our cybersecurity offerings here.