We have a potential security issue we’ve encountered with the password reset functionality in one of our Shopify stores. It seems that the password reset link is inadvertently being sent to third-party services like Google Analytics, Facebook, and Klaviyo, which could expose sensitive data or tokens.
Problem Details:
- The password reset link is being forwarded in network requests to third-party services, such as Google Analytics, Facebook, and Klaviyo.
- This could pose a security risk, as these links contain information used for password resets.
Steps to Reproduce:
1. A user requests a password reset.
2. The reset link is sent via email.
3. Upon clicking the link, it is partially forwarded to tracking and analytics tools like Google Analytics, Facebook, and Klaviyo.
We understand that such links should typically be protected and only processed within the store itself. Therefore, we want to ensure that password reset links do not reach third-party services in order to protect user data.
Actions Taken So Far:
We have already taken steps to investigate the issue and adjust tracking settings in Google Tag Manager. However, the problem seems to be linked to some Shopify apps (such as the Facebook channel and the Klaviyo integration), as they directly send tracking data.
Can anyone please assist us in investigating this issue and help us prevent the unintentional leakage of sensitive information to third parties? We want to ensure that our password reset links are handled securely.
Thank you in advance for your help!
