Our Partner & Developer boards on the community are moving to a brand new home: the .dev community forums! While you can still access past discussions here, for all your future app and storefront building questions, head over to the new forums.

A customer is able to go directly to the cart and add zero priced items

A customer is able to go directly to the cart and add zero priced items

michaelborginis
Visitor
2 0 0

Hi, the other day a new customer was able to add a zero priced item to the cart and check out.  We have a simple mod in our Supply template that hides the Add to Cart  button and displays a message - "Contact us for pricing" when the price is set to zero .  This has worked well since we went live several years ago. 

Recently someone has been circumventing this and adding zero priced items to the cart and checking out.  Happened again last night, this is 3 times altogether.  Session details reveal that they are bypassing product pages altogether and going directly to the checkout.  So this is disturbing.  EVEN MORE disturbing is the Shopify Support Chat "person" gathered all this information and came back a day later essentially saying "Our engineers really don't understand any of this stuff so you should go on the forum or hire someone to look into it".  

We have added some fraud rules to try to block this specific customer and activity.  But isn't this a serious security issue?  Shouldn't Shopify be concerned and actually look into it?  And we think the support chat person is a chatbot.  Any help or insight is greatly appreciated

Mike Borginis for Durland Company

michaelborginis_0-1727964870102.png

 




Replies 2 (2)

PaulNewton
Shopify Partner
7450 656 1560

tl;dr ,  Not a security issue, works as intended, if you publish a product expect it to be purchasable as the apis support a lot of use cases and are NOT changeable ,  proper technical discovery and understanding platform capabilities can prevent false expectations. tier-0 support is lackluster, bypass bots by asking for "support advisor" or "human"

 

 

 I highly doubt a tier-0 support would claim "Our engineers really don't understand any of this stuff" when it's their job to make this stuff, a lack of a situational specific support is not a reason to warp a conversation so badly that it's borderline misinformation. Shopify support has fallen off but i've never ever seen one say something like that either brashly or casually.

 

Customers being able to purchase $0 items is the result of low cost implementations with low effort technical discovery.

The apis work this way on purpose to support a broad range or use cases and are NOT changeable.

If a product is published that makes it possible to be purchased.

Purchasing can happen using features such as the ajax api, or permalinks , buy buttons, sales-channels, etc etc etc.

 

Don't just use a fraud app for one offs , setup an automation to either reject invalid orders with shopify-flow,

https://help.shopify.com/en/manual/shopify-flow/reference/actions/cancel-order

Or more advanced convert them to draft orders

https://tasks.mechanic.dev/create-a-draft-order-from-the-cart 

 

To fully lock down an order process on shopify would effectively require a high barrier to entry with a: custom headless storefront, shopify functions, and backend order validations, etc etc etc.

Contact paull.newton+shopifyforum@gmail.com for the solutions you need


Save time & money ,Ask Questions The Smart Way


Problem Solved? ✔Accept and Like solutions to help future merchants

Answers powered by coffee Thank Paul with a Coffee for more answers or donate to eff.org


michaelborginis
Visitor
2 0 0

Hey Paul thanks for the info.  Was not aware of all the different ways that this could happen.  We will checkout your suggestions

 

Mike