APP Proxy is not secure, anyone can send requests and DDOS you server?

Bulxar
Shopify Partner
82 2 22

APP Proxy is not secure, anyone can send requests and DDOS you server?

Replies 2 (2)

Bulxar
Shopify Partner
82 2 22

Many apps that use APP PROXY url are using Shopify customer ID, to show sensitive data like Phone number, Address, Email.

 

If you register in such a store(You can check Shopify App store and see which stoe is using the app), then login and grab the APP PROXY URL from Shopify store,

 

After that you will be able to send as many requests as you want(if the app developer is not sleeping anywhere in the beach without having DDOS protection which many apps doen't have) and generate shopify customer users ID's starting from 3000000000000 - 5000000000000(yeah this take a time, yeah it's hard but automated).

After executing this process I was able to get Customer sensitive data like I described above.

 

 

 

 "customer": {
        "id": 1451,
        "customer_id": 5238771974322,
        "name": sensitive,
        "email": sensitive,
        "is_from_shopify": 1,
        "is_from_mailchimp": 0,
        "accepts_marketing": 1,
        "is_subscriber": 1,
        "state": "enabled",
        "phone": sensitive,
        "birthdate": sensitive,
        "gender": sensitive,
        "credits": 0,
        "points": 0,
        "is_register_given": 0,
        "is_subscriber_given": 0,
        "is_first_order_given": 0,
        "referral_code": "sensitive",
        "refer_by": null,
        "verified_email": 0,
        "orders_count": 0,
        "total_spent": 0,
        "last_order_id": null,
        "last_order_name": null,
        "last_order_created_at": null,
        "currency": "MYR",
        "note": null,
        "created_at": "2021-01-23T11:08:21.000000Z",
        "updated_at": "2021-01-23T11:08:27.000000Z",
        "total_spent_credits": 0,
        "refund_credits": 0,
        "promotional_credits": 0,
        "total_earned_credits": 0,
        "credit_log": [],
        "earned_credits": [],
        "spent_credits": []
    }

 

_JCC_
Shopify Staff
200 27 55

Hey @Bulxar ,

Thanks for sharing this issue. You can report this issue directly on our hacker-one Shopify page, as suggested on our security response page.

Regards,

John

John C | Developer Support @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit Shopify.dev or the Shopify Web Design and Development Blog