Re: WARNING: /collections/vendors can be a HUGE security risk for your site

WARNING: /collections/vendors can be a HUGE security risk for your site

Jamie_Grove
Excursionist
35 0 53

Hello!

 

Today, we discovered an unused URL on our site: /collections/vendors

 

This URL path exists on every Shopify site, and it can be a huge security hole.

 

This path takes a querystring parameter (q) and allows you to override content (titles and page details). As a "feature", it allows you to create customized pages for partners and vendors. For a link hacker, it is a pathway to filling up Google with bad content under your website.

 

Here's how it works:

 

1. Hackers create links on a website

2. Google eventually picks up the links

3. The Google index eventually displays those links

 

Here are a few discussions about this:

 

https://community.shopify.com/c/shopify-discussions/has-my-site-been-hacked/m-p/1797712/highlight/tr...

https://community.shopify.com/c/shopify-discussions/has-my-site-been-hacked/m-p/1797712/highlight/tr...

 

So, what should YOU do? If you are not using /collections/vendors, you should zap it from your site:

 

1. See if your site is currently displaying something really scary on /collections/vendors... To check this out go to https://yoursite.com/collections/vendors?q=SCARY+THING+ANYONE+CAN+DO+TO+MY+SITE

 

If you see that scary text, you are vulnerable...

 

3. In the Shopify Admin, go to Online Store > Navigation and then use the View URL Redirects link at the top of the page. Redirect /collections/vendors to /404

 

3. Edit your theme.liquid file. Add the following in the <head> section: 

 

{%- if request.path == '/collections/vendors' -%}

<meta name="robots" content="noindex">
{%- endif -%}

 

4. Consider creating a custom robots.txt file. This is a bit more complicated. Basically, you go into the code of your theme and add a new template. Robots.txt should be one of the options. This will create a custom version in your code base. Once you have that, you can add:

 

{%- if group.user_agent.value == '*' -%}
{{ 'Disallow: /collections/vendors*' }}
{%- endif -%}

 

Which should tell all search engines to ignore content within /collections/vendors

 

5. Consider editing your collections.liquid and theme.liquid to protect the <title> element of the page and the body content of the page (typically anywhere where collection.title is used in the code).

 

6. Check to see if your website has already been a target. Go to Google and search for "site:yourstore.com/collections/vendors" (minus quotes)

 

If there are lots of bad URLs, taking the steps I've outlined above should help. You can also log into the Google Search Console and request immediate removal of all links that begin with https://yoursite.com/collections/vendors

 

Just make sure you do that last bit correctly or you'll zap your whole site from Google (bad!)

 

 

Replies 37 (37)

Jamie_Grove
Excursionist
35 0 53

Want to know how many brands may be impacted? Here's a google search: https://www.google.com/search?q=%2Fcollections%2Fvendors+m642.com

threed
Shopify Partner
129 17 50

Thank you so much for the heads-up. I had no idea this was even an issue. I will be making changes to our site; hopefully others do the same!

If I helped you, please help me by marking my comment as an accepted solution.
I am open to work and have been working with the Shopify system for several years.
Jamie_Grove
Excursionist
35 0 53

My pleasure, Threed! There are soooo many Shopify customers impacted by this. The exploit has been around for a long time too. There is zero reason for this. Zero!

Rollacrit
Visitor
1 0 2

Thanks Jamie! Shopify should be paying you for finding this hole. 

ThePL
Tourist
10 0 3

Thank you! I've got 3,070,000 results. Google SC has been giving me high fives for the massive increase in traffic from the far east so I knew something was wrong. I've done everything on your list... I was wondering how I go about no 5? Your instructions are pretty plain english and much appreciated!

Jamie_Grove
Excursionist
35 0 53

Glad I could help!

 

For number #5, the first thing to note is that the q parameter overrides the title of the collection when the path is /collections/vendors. So, anywhere your theme uses something like collection.title you should wrap it with a conditional clause that looks for /collections/vendors and then does something else.

 

For my theme that meant a change to the main theme.liquid file and another in something called collection--header.liquid. My guess is that theme.liquid will apply to pretty much every site. The collection page itself though probably has a unique structure.

 

theme.liquid - Find your <title> section. If you already have conditions there to display different text, you'll want to expand it with an elsif statement like I did below:

 

{% if request.page_type == 'index' %}
<title>{{ page_title }}</title>
{% elsif request.path == '/collections/vendors' %}
<title>Name of Your Site</title>
{% else %}
<title>{{ page_title }} | {{ shop.name }}</title>
{% endif %}

 

For the collection page itself (collection--header.liquid in my case), I wrapped the use of collection.title with an if statement like this:

 

{%- if request.path != '/collections/vendors' -%}{{ collection.title }}{% endif %}

 

If your site is the one I think it is (I did a quick google search), you will want to look for the template that has an h1 tag with the class of "collection-hero__title".

 

I would also recommend just bringing up the /collections/vendors page with a q parameter that is easy to identify and then look at the resulting HTML code. For example, /collections/vendors?q=ARGHHHH Then when you view code, you can look for ARGHHHH and track down all the instances in your theme where it might appear and escape them out using the techniques above.

 

 

ThePL
Tourist
10 0 3

Thank you!

TUYONYC
Tourist
4 0 1

Hello! I was curious if you could help me with this code placement:

 

{% if request.page_type == 'index' %}
<title>{{ page_title }}</title>
{% elsif request.path == '/collections/vendors' %}
<title>Name of Your Site</title>
{% else %}
<title>{{ page_title }} | {{ shop.name }}</title>
{% endif %}

 

This is the only code I can see that has <title> in my site code:

 

<title>

      {% if template contains "index" %}{{ page_title }}{% else %}{{ page_title }}{% if current_tags %} {{ 'general.meta.tagged_html' | t: tags: meta_tags }}{% endif %}{% if current_page != 1 %} {{ 'general.meta.page' | t: page_number: current_page }}{% endif %}{% unless page_title contains shop.name %} - {{ shop.name }}{% endunless %}{% endif %}

</title>

 

Does the elsif statement go after it?

 

I'm not a coder and desperately want to fix this issue on my site. I was able to successfully implement your steps at the top of the thread. Just confused about this part. Thank you so much for your help!

Jamie_Grove
Excursionist
35 0 53

Hey, Tony!

 

You should be able to use a slightly modified version like this:

 

{% if request.path == '/collections/vendors' %}
<title>Name of Your Site</title>
{% else %}

<title>

      {% if template contains "index" %}{{ page_title }}{% else %}{{ page_title }}{% if current_tags %} {{ 'general.meta.tagged_html' | t: tags: meta_tags }}{% endif %}{% if current_page != 1 %} {{ 'general.meta.page' | t: page_number: current_page }}{% endif %}{% unless page_title contains shop.name %} - {{ shop.name }}{% endunless %}{% endif %}

</title>

{% endif %}

 

 

TUYONYC
Tourist
4 0 1

@Jamie_Grove Thanks so much for this response!

 

One last question: 


{% if request.path == '/collections/vendors' %}
<title>Name of Your Site</title>
{% else %}

Confused about-  Name of Your Site

 

Should this stay as is? Or do I replace it with my shop name?

 

Thank you!

 

Barked201
Excursionist
22 1 37

Shopify is completely ignoring this and they're recommending "no action is the best action." Do NOT do nothing about this - it will destroy your AS and heavily impact your rankings.

 

The robots.txt won't be effective if the pages are already indexed, as it limits the google from crawling and finding these pages to 'noindex'. Robots.txt is also a recommendation and Google will ignore it from time to time. Also, if you're using vendors, you can enter the following code and it will 'noindex' /collections/vendors that have no products in them, past and future. Enter it in the <head> section of your theme.liquid file - I put mine right about </head> so it's easy to find for future updates.

 

{%- if request.path == '/collections/vendors' and collection.all_products_count == 0 -%}
<meta name="robots" content="noindex">
{%- endif -%}

 

You can verify the code is effective in search console by 'testing live URL'. It will take time for Google to recrawl these pages, but it should slowly remove these from being indexed and effecting your site.

 

Shopify is dropping the ball on this hard.

Trevor
Shopify Staff (Retired)
3408 463 1003

Hey, everyone. 


Thank you for flagging this issue in the Community. We have raised the issue with our developers for further review. We do not have a timeline on the fix, however, I will provide an update once this has been resolved. 

 

I would encourage you to view our top related threads on this issue that provide viable workarounds:

 

 

 

Trevor | Community Moderator @ Shopify
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

Onebyte
Shopify Partner
8 0 3

But the hack does not solve the problem! It only prevents the indexing. Moreover, it is not covered if it is a request.path in another language.

 

For vendors:

{%- assign targetPath = '/collections/vendors' -%}
{%- if request.path contains targetPath and collection.all_products_count == 0 -%}
<meta name="robots" content="noindex">
{%- endif -%}

 
For search:

{%- assign targetPath = '/search' -%}
{%- if request.path contains targetPath and collection.all_products_count == 0 -%}
<meta name="robots" content="noindex">
{%- endif -%}

 

Stefan Bommeli, Onebyte

Trevor
Shopify Staff (Retired)
3408 463 1003

Hello, again! 

 

Our developers have recently shipped a change that will generate a 404 page if the vendor is unknown (based on query string). The change will block it from indexing on Google. These changes will only apply to vendor pages, but our teams will investigate whether other pages may be vulnerable to this abuse.

 

This change is rolling out platform wide as we speak, so it may take some time for you to see these changes implemented. However, moving forward, this should help mitigate the ability spammers have with taking advantage of the query print out to advertise their spam links. 

Trevor | Community Moderator @ Shopify
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

Jamie_Grove
Excursionist
35 0 53

That's good news, Trevor. It would be really great if they just added an option in the admin to turn off the /collections/vendors page entirely since the scope is not one we can access. It was a huge surprise to find a page that was completely out of my control on the site.  I'm sure other merchants are equally surprised when they find out.

jamarzy
Shopify Partner
4 0 2

We have had this appear on our sites (google says in october)
Serps for valid pages apearing with google translation options, and then around a thousand of the vendor related urls..
at the moment if i click them from search console then they seem to go to a 404 page
is that considered fixed as the threads that have been recomended are full of many band aid fixes.
also now in search console as of the 18th we are getting urls containing "[email protected]/sandbox/products/........"
there is a thread on this here

Shopify Bug - Web Pixels Manager Sandbox 
My question is where is the best place to read a statement from shopify addressing these bugs ensuring shopify customers that they are being fixed and google search ranking etc should be not affected further ?

Jamie_Grove
Excursionist
35 0 53

The web-pixels-manager bug is a new one on me. I only have a single entry now but I’ve gone ahead and blocked it in my robots.txt and in the search console as a precaution. Thanks for pointing that out!

 

If the other URLs on your site do go to true 404s then I would assume that the problem will resolve itself in the Google index over time. 

Notsotechy
Tourist
7 0 2

Hi, sorry I've just noticed this one too. Can you explain, how I do this please? This isn't my forte and Shopify seems to have too many bugs atm. I was on like chat for over an hour re the collections/vendors thing. They said it was nothing to do with them and to hire an expert!

Jamie_Grove
Excursionist
35 0 53

Try checking the links directly on your site. I just received a message this week from Shopify that says they are rolling out a fix to block these URLs across all sites. If this update has reached your site, you should get a page not found message when you try to visit one of the links. If that happens, Google will pull them out of the index in a week or two.

Alexis_Théry
Shopify Partner
15 0 5

I totally agree just write a new comment on this conversation

https://community.shopify.com/c/shopify-discussions/website-hacked-help/td-p/1748004/page/8

 

To resume we have :

- Bug with url /search?q=

- Bug with url/collections/vendors?q=

 

and now a bug with  false url containing  "[email protected]/sandbox/products/........"

 

Each week we have a new attack !.

 

What are you doing shopify to :

 - prevent this issues

- Give the community a clear technical answer on all of this problems?

 

Our Search console is a disaster !

 

 

Thanks shopify to to do what you must do: Help your customer. We all face SEO difficulties cause of that.

 

 

 

threed
Shopify Partner
129 17 50

It looks like the issue hasn't been fully addressed yet, if this thread is an indicator: https://community.shopify.com/c/shopify-discussions/guidance-required-japanese-chinese-spammy-keywor... 

 

User said that the spam page indexes went down a little at first, but are now rising. Do you have any advice?

 

EDIT: Sorry, meant to directly tag @Trevor 

If I helped you, please help me by marking my comment as an accepted solution.
I am open to work and have been working with the Shopify system for several years.
Gatorfan
Visitor
1 0 1

@Trevor What is the status of this issue?  The spam links are still increasing on my site and support chat doesn't even want to acknowledge there is an issue?  What is being done to resolve this or what is the official Shopify statement on how a user can resolve this?   Very annoying 

Jamie_Grove
Excursionist
35 0 53

Update: Looking at Google Search Console, I found that we jumped from around 2,000 pages indexed to over 6,185,166 in the space of a week at the end of December. Yes, that's millions of fake pages created by this exploit...

 

4,655,957 pages are now blocked by the changed I made to robots.txt and 1,119,902 are crawled but not index (likely due to my block).

 

paperandsons
Tourist
10 0 3

Hey @Jamie_Grove , 

thank you so much for this post.

I have reported/ discribed this issue weeks ago as I have discovered ten thousands of urls in GSC. 
Shopify's respond was useless, and I had no idea about the intention of this q param urls.

 

 

Jamie_Grove
Excursionist
35 0 53

UPDATE

 

I heard from the Shopify dev team this week… A fix is going in now and will be rolling out to every site very soon. The fix will send all requests to the vendors page to a 404. This should clean up all spam links in Google within a couple weeks (once it hits your site).

juanki-bcn
Tourist
11 0 1

Hi 
News about this?
I have 255.000 pages on GSC 😞 

Jamie_Grove
Excursionist
35 0 53

I'm not sure if they've rolled this out or what, but I do know that if you follow the steps I outlined you can get rid of those entires. Worked for us.

rlmauton
Tourist
11 0 3

This happened to us.  Our non-indexed page count is 140,000 and climbing.  In SEM rush, I found over 14,000 domains backlinking to collections/vendors.  Started in January and really ramped up in May.  They're continuing to make new backlinks so either they haven't realized it's not working or we don't fully understand the scam.  This is out of my wheelhouse, so forgive me if this is a stupid question, but is there a way to remove the pages rather than just making them invisible to the crawler?  It really bugs me seeing them in GSC and at the rate they're being added, disavowing the links is going to get old fast.

JamieMcKay
Tourist
7 0 5

Hello, @Trevor can I ask what is the status of this? From the thread, it looks like a fix was being rolled out in Feb/March but we haven't heard anything about the fix at all and our store had the very same issue with its collections/vendor page over the weekend.

 

Also, are Shopify working on a proactive response to this happening on any other pages, collections, products, etc?

TUYONYC
Tourist
4 0 1

Just to follow up on @JamieMcKay last post. @Trevor please give us an update on a fix to this vulnerability. It is affecting thousands of Shopify users. How can we trust @Shopify  secure service if they can't keep our sites safe? This has affected our site since last year. We have gone through the Google disavow process, but this is a @Shopify issue and must be addressed by their dev team. Please help small businesses who rely on your service.

CVC
Visitor
2 0 1

This has also happened to us.  These phantom links showed up over the course of about 30 days, then stopped. 
Shopify support has told me to contact Google and contact their security support.  I'm still waiting for that email. 
This code is too complicated for me to add so our small family business is sitting here losing money because of bad seo and has been for months. 

TUYONYC
Tourist
4 0 1

Hi @CVC 

Disavowing the phantom vendor links through google is not enough. We are also a small business and this code fix was the only fix that tells google to block the links as they show up. Furthermore, this is not a google problem as far as I understand it. It is a @Shopify issue. I have no idea why @Shopify has allowed this vulnerability to exist for so long without sending out a patch and seriously wonder if it affects the Shopify Plus users as well, or just us small businesses. All that said, I encourage you to try the code fix @Jamie_Grove provided at the top of this thread. It helped us immensely. You should also disavow the links in your google console, to prevent those from being indexed.

Step 1 disavow links in google console - this article will walk you through how to do it.

 https://support.google.com/webmasters/answer/2648487?hl=en 

Step 2 - follow the instructions at the top of this thread.

I am not terribly tech-savvy and was able to do it with a little extra help from @Jamie_Grove . Best of luck!

dlevens
Explorer
65 0 26

Checking in on this to see if any new info anyone has heard from Shopify or discovered? I am still seeing spam links get picked up by Google but do not see any bad data when searching my site. It also seems Shopify has updated the base robots.txt to block all collections and vendor pages. Is there really any benefit to updating page code or robots.txt anymore? I have updated my disavow but not sure what else to do? I have seen a drop off in traffic so I am being impacted. 

Lena__79
Tourist
7 0 1

Hi!

i just came over this post because i have suddenly a lot of products disapproved in Google merchant venter due to missing landing page. The landing Pages works and displays on both mobile and desktop, but Google still have tha same issue with the links. I have seen that some of my products links to collections/vendors while others link to collection/products and i dont know what the problem is. Google cant help me, Shopify cant help me and i am stuck here. Anything about this vendors list that can give me these problems?

Jamie_Grove
Excursionist
35 0 53

It’s probably not related to this, but if you send a link to a “bad” product would be happy to take a look.

Lena__79
Tourist
7 0 1

Thank you! Here is a link to one of the products that Google won't approve: https://www.hudonline.no/products/zo-firming-serum?variant=42222202126504&currency=NOK&utm_medium=pr... 

Jamie_Grove
Excursionist
35 0 53

Hi, Lena.

 

I looked at the page and thought I might find something with the product's canonical URL, but it appears to be fine. Did you check to see if the page was crawlable using the Google Search Console? Also, have you installed any apps that accelerate page rendering?