Security related questions

Retired Boards Appdev Graphql Basics And Troubleshooting

Topic summary

A user raised concerns about potential security vulnerabilities in their Shopify store’s GraphQL endpoint (/checkouts/unstable/graphql). The endpoint has introspection enabled, and the user is uncertain whether this can be controlled.

A security researcher contacted them claiming that:

  • Sensitive information and tokens can be exposed by modifying POST requests to this API endpoint
  • The endpoint returns a unique shopifyPayApiToken each time, which may serve as an identifier for stores using ShopPay
  • This information should not be publicly accessible

Shopify Developer Support responded by directing the user to report the issue through Shopify’s official HackerOne Bug Bounty program (https://hackerone.com/shopify). They emphasized this is the appropriate channel for researchers to report large-scale security concerns, as the team there can best determine whether it’s a previously reviewed issue or requires new attention.

The discussion remains open pending further investigation through the proper security reporting channels.

Summarized with AI on November 8. AI used: claude-sonnet-4-5-20250929.
1

Hi,

Sorry if this is the wrong place to ask, the support team pointed me here.

We have been getting asked questions about our shopify store around information that can potentially be gleaned from an api endpoint

/checkouts/unstable/graphql

The API has introspection enabled - not sure if we can control that?

The researcher who contacted us about the issue seems to believe that the tokens and information that can be exposed by modifying a POST request to the API endpoint above is sensitive and should not be public.

For example, it returns a shopPayApiToken which appears to be unique each time - This leads me to believe that this is used as an identifier if the store is using ShopPay? (oddly our store is not but still seems to return the token anyway).

2

Hi @Knohm,

Thanks for your post. The recommended place for researchers to report large scale security concerns in detail to ensure they get the most appropriate attention and fastest review is to the HackerOne Bug Bounty program found here:

https://hackerone.com/shopify?type=team

There’s a ‘Submit Report’ button at the top and a lot of supporting information below. The team there can best identify if it’s an issue that has been reviewed before or if it’s something new that needs to be addressed.