New Delhi: Over 40 lakh mobile phone users' sensitive data is at hacking risk after cyber security researchers on Friday uncovered a critical security flaw in Shopify<\/a> application programming interface (API) keys\/tokens.

Cyber-security company
CloudSEK<\/a>'s BeVigil, a security search engine for mobile apps, uncovered the vulnerability that puts over 40 lakh mobile customers' sensitive data at risk.

From the millions of
Android<\/a> apps, 21 e-commerce apps were identified to have 22 hardcoded Shopify API<\/a> keys\/tokens, exposing personally identifiable information (PII) to potential threats.

By hardcoding the API key, the key becomes visible to anyone who has access to the code, including attackers or unauthorised users.

If an attacker gains access to the hardcoded key, they can use it to access sensitive data or perform actions on behalf of the program, even if they are not authorised to do so, said security researchers.

\"The recent discovery of hardcoded Shopify keys in numerous Android apps is just another example of the lack of proper API security in the industry. This type of vulnerability exposes the personal information of users, as well as transactional and order details, to potential attackers,\" said Vishal Singh, senior security engineer at CloudSEK.

Shopify is an e-commerce platform that allows individuals and businesses to create an online store to sell their products.

Over 4.4 million websites from more than 175 countries globally use Shopify.

With the ease of creating an online store, it also allows the integration of third-party apps and plugins to add additional functionality to the store. Shopify can be used to sell physical and digital products, and it also offers a point-of-sale system for brick-and-mortar stores.

\"While this situation is not a limitation of the Shopify platform, it highlights the issue of API keys\/tokens being leaked by app developers. As part of responsible disclosure, CloudSEK has notified Shopify and the affected apps about the hardcoded API keys,\" said the company.

The researchers found that of the total hardcoded keys, at least 18 keys allow viewing customer-sensitive data, 7 API keys allow viewing\/modifying gift cards and 6 API keys allow obtaining payment account information, including balances and payouts.

While the total number of downloads of these apps exceeds 182K, the actual number of impacted users is significantly more (over 40 lakh).

The API can also allow threat actors to view more detailed sensitive information about a particular customer ID.

\"Using this API endpoint, an actor with malicious intent could gain unauthorized access to banking transaction information such as credit\/debit card details used by customers for purchases,\" said the report.
<\/p><\/body>","next_sibling":[{"msid":97813132,"title":"U.S. airlines urge FAA to extend 5G upgrade deadline","entity_type":"ARTICLE","link":"\/news\/u-s-airlines-urge-faa-to-extend-5g-upgrade-deadline\/97813132","category_name":null,"category_name_seo":"telecomnews"}],"related_content":[],"msid":97813187,"entity_type":"ARTICLE","title":"Over 40 lakh mobile users at hacking risk from compromised Shopify API keys","synopsis":"Cyber-security company CloudSEK's BeVigil, a security search engine for mobile apps, uncovered the vulnerability that puts over 40 lakh mobile customers' sensitive data at risk.","titleseo":"telecomnews\/over-40-lakh-mobile-users-at-hacking-risk-from-compromised-shopify-api-keys","status":"ACTIVE","authors":[],"analytics":{"comments":0,"views":164,"shares":0,"engagementtimems":769000},"Alttitle":{"minfo":""},"artag":"IANS","artdate":"2023-02-11 07:56:00","lastupd":"2023-02-11 07:57:52","breadcrumbTags":["Shopify","shopify api","Shopify API keys","MVAS\/Apps","CloudSEK","cyber security news","cybersecurity","cyber attack","android"],"secinfo":{"seolocation":"telecomnews\/over-40-lakh-mobile-users-at-hacking-risk-from-compromised-shopify-api-keys"}}" data-authors="[" "]" data-category-name="" data-category_id="" data-date="2023-02-11" data-index="article_1">

超过40个十万的移动用户风险黑客从妥协Shopify API密钥

网络安全公司CloudSEK BeVigil安全搜索引擎为移动应用,发现了漏洞,超过40个十万的移动客户敏感数据面临风险。

  • 更新于2023年2月11日凌晨07:57坚持
阅读: 100年行业专业人士
读者的形象读到100年行业专业人士

新德里:40岁以上多数手机用户的敏感数据风险黑客在网络安全研究人员周五发现了一个关键的安全缺陷Shopify应用程序编程接口(API)键/令牌。

网络安全公司CloudSEKBeVigil,移动应用安全搜索引擎,发现了漏洞,超过40个十万的移动客户敏感数据面临风险。

从数以百万计的安卓21电子商务应用程序,应用程序被确定22硬编码Shopify API密钥/令牌,暴露出个人身份信息(PII)潜在的威胁。

通过硬编码API键,关键变得可见,谁有权访问代码,包括攻击者或未经授权的用户。

广告
如果攻击者获得访问硬编码的关键,他们可以用它来访问敏感数据或执行操作的程序,即使他们不是授权,安全研究人员说。

“最近发现的硬编码Shopify键在许多Android应用程序是另一个例子缺乏适当的API的安全。这种类型的脆弱性暴露用户的个人信息,以及事务和订单细节,潜在的攻击者,“CloudSEK高级安全工程师Vishal辛格说。

Shopify是一个电子商务平台,允许个人和企业创建一个在线商店来销售他们的产品。

在全球超过175个国家的440万个网站使用Shopify。

易于创建一个在线商店,它还允许第三方应用程序和插件的集成到商店添加额外的功能。Shopify可以用来出售身体和数码产品,同时也提供了一个销售点系统实体商店。

“虽然这种情况不是Shopify平台的限制,它突出了API密钥的问题/令牌被应用程序开发商泄露。作为负责任的信息披露的一部分,CloudSEK通知Shopify和硬编码的影响应用程序的API密钥,”该公司说。

广告
总硬编码的研究人员发现,钥匙,至少18键允许查看客户敏感数据,7 API键允许查看/修改礼品卡和6 API键允许获得支付账户信息,包括余额和支付。

虽然这些应用程序的下载总数超过182 k,影响用户的实际数量更多(超过40十万卢比)。

API还可以允许威胁演员查看更详细的一个特定的客户ID的敏感信息。

”不怀好意地使用这个API端点,演员可以获得未授权访问银行交易信息,如信用卡/借记卡客户购买使用的细节,”报告说。

  • 发布于2023年2月11日07:56点坚持
是第一个发表评论。
现在评论

加入2 m +行业专业人士的社区

订阅我们的通讯最新见解与分析。乐动扑克

下载ETTelec乐动娱乐招聘om应用

  • 得到实时更新
  • 保存您最喜爱的文章
扫描下载应用程序

New Delhi: Over 40 lakh mobile phone users' sensitive data is at hacking risk after cyber security researchers on Friday uncovered a critical security flaw in Shopify<\/a> application programming interface (API) keys\/tokens.

Cyber-security company
CloudSEK<\/a>'s BeVigil, a security search engine for mobile apps, uncovered the vulnerability that puts over 40 lakh mobile customers' sensitive data at risk.

From the millions of
Android<\/a> apps, 21 e-commerce apps were identified to have 22 hardcoded Shopify API<\/a> keys\/tokens, exposing personally identifiable information (PII) to potential threats.

By hardcoding the API key, the key becomes visible to anyone who has access to the code, including attackers or unauthorised users.

If an attacker gains access to the hardcoded key, they can use it to access sensitive data or perform actions on behalf of the program, even if they are not authorised to do so, said security researchers.

\"The recent discovery of hardcoded Shopify keys in numerous Android apps is just another example of the lack of proper API security in the industry. This type of vulnerability exposes the personal information of users, as well as transactional and order details, to potential attackers,\" said Vishal Singh, senior security engineer at CloudSEK.

Shopify is an e-commerce platform that allows individuals and businesses to create an online store to sell their products.

Over 4.4 million websites from more than 175 countries globally use Shopify.

With the ease of creating an online store, it also allows the integration of third-party apps and plugins to add additional functionality to the store. Shopify can be used to sell physical and digital products, and it also offers a point-of-sale system for brick-and-mortar stores.

\"While this situation is not a limitation of the Shopify platform, it highlights the issue of API keys\/tokens being leaked by app developers. As part of responsible disclosure, CloudSEK has notified Shopify and the affected apps about the hardcoded API keys,\" said the company.

The researchers found that of the total hardcoded keys, at least 18 keys allow viewing customer-sensitive data, 7 API keys allow viewing\/modifying gift cards and 6 API keys allow obtaining payment account information, including balances and payouts.

While the total number of downloads of these apps exceeds 182K, the actual number of impacted users is significantly more (over 40 lakh).

The API can also allow threat actors to view more detailed sensitive information about a particular customer ID.

\"Using this API endpoint, an actor with malicious intent could gain unauthorized access to banking transaction information such as credit\/debit card details used by customers for purchases,\" said the report.
<\/p><\/body>","next_sibling":[{"msid":97813132,"title":"U.S. airlines urge FAA to extend 5G upgrade deadline","entity_type":"ARTICLE","link":"\/news\/u-s-airlines-urge-faa-to-extend-5g-upgrade-deadline\/97813132","category_name":null,"category_name_seo":"telecomnews"}],"related_content":[],"msid":97813187,"entity_type":"ARTICLE","title":"Over 40 lakh mobile users at hacking risk from compromised Shopify API keys","synopsis":"Cyber-security company CloudSEK's BeVigil, a security search engine for mobile apps, uncovered the vulnerability that puts over 40 lakh mobile customers' sensitive data at risk.","titleseo":"telecomnews\/over-40-lakh-mobile-users-at-hacking-risk-from-compromised-shopify-api-keys","status":"ACTIVE","authors":[],"analytics":{"comments":0,"views":164,"shares":0,"engagementtimems":769000},"Alttitle":{"minfo":""},"artag":"IANS","artdate":"2023-02-11 07:56:00","lastupd":"2023-02-11 07:57:52","breadcrumbTags":["Shopify","shopify api","Shopify API keys","MVAS\/Apps","CloudSEK","cyber security news","cybersecurity","cyber attack","android"],"secinfo":{"seolocation":"telecomnews\/over-40-lakh-mobile-users-at-hacking-risk-from-compromised-shopify-api-keys"}}" data-news_link="//www.iser-br.com/news/over-40-lakh-mobile-users-at-hacking-risk-from-compromised-shopify-api-keys/97813187">