By security practitioners, for security practitioners innovate | novacoast federal | novaSOC | novacoast
By security practitioners, for security practitioners

The Dangerously Opaque World of the Shopify App Store

While Shopify’s app-extensible platform is easy to use, it allows plugin developers access to customer data with seemingly no controls or oversight on responsible handling.

The wildly successful SaaS e-commerce solution Shopify makes setting up a cart site extremely simple for merchants, and allows shop owners to extend its base functionality via an open plugin marketplace they call the “App Store.” But this process of adding plugins to Shopify is a fairly opaque process that allows plugin authors to take uncontrolled liberties with customer data.

What is meant by “opaque?” It’s the lack of transparency into how 3rd party developers actually handle data in their plugin’s execution outside the Shopify ecosystem. When installing a plugin, the code is added automatically and behind the scenes in Shopify’s App Store, so there’s nothing for a discriminating security practitioner to unpack and audit as would be the case with say, WordPress. Is there any way for a shop owner to determine if a plugin is secure or if their accessible customer data is being handled responsibly? Not that we can tell.

It’s important to note that the following is not an indictment of either Shopify or the plugin developer community. Rather, it’s a call for awareness of what could be a vulnerable architecture that puts customer data and privacy at risk.

History: Shopify Emerges

At the end of 2021, SaaS e-commerce powerhouse Shopify is dominating the small business sector with its nearly effortless onboarding and maintenance-free user experience for retailers. Their formula has been very successful, and after going public on the NYSE in 2015 for $17 per share, their stock has ballooned to $1,573 per share at the time of this writing. The platform has been well received to say the least.

This is in stark contrast to the rest of the e-commerce solutions landscape that existed when Shopify debuted in 2006. Solutions at the time were mostly self-hosted open source PHP projects. Merchants had their choice of propping up osCommerce, PrestaShop, WordPress plugin WooCommerce, or Magento on their own server. The projects were immature and buggy, but were inexpensive or free, save for the cost of a web developer to help set them up.

Shopify’s adoption of the SaaS paradigm meant that merchants could build their store with no technical experience and minimal legwork. Like any SaaS experience, they could just sign up and start adding products to their catalog. Shopify handles the merchant payment processing, platform maintenance, and presumably…the security.

They make it about a easy as selling online can be | Shopify.com

The Shopify Experience

Running a Shopify shop is super easy for the most part—that’s the point. But sometimes their core feature set doesn’t cover everything.

Recently a friend needed some assistance in adding a feature they’d seen on another Shopify store site, and asked for help in navigating the process of extending their shop through the open plugin marketplace, which Shopify calls the “App Store.” This is a repository where developers can publish extensions to the core Shopify codebase. It only takes a few clicks to install any plugin found there, and *voila*: new features.

One example is shipping calculation. Calculating shipping costs before checkout is a feature that’s apparently not supported in the core cart workflow, so any store that uses this has likely accomplished it by installing a plugin. The plugin is specifically written to insert a step in the core process by feeding the customer’s address to shipping APIs, calculate the cost, and add it to the checkout screen, seamlessly.

The Shopify Marketplace

At first glance the Shopify App Store is incredible. It’s a thriving marketplace of developers from around the world creating features for shop owners that don’t require the shop owner to hire their own tech professional to build or maintain.

Like most app stores these days, it features both free and paid plugins, with controls for rating and ranking. This crowdsourced quality control allows the best plugins to bubble to the top while theoretically, the problematic or bad ones will get buried.

It’s likely that ranking is based on functionality and fulfillment of expectations. Does it work well and look good? 5 stars.

Nearly any feature can be added from a repository of plugins contributed by outside developers. | Shopify App Store

Click to install an app and you’re prompted with an acknowledgment of which data from your store the plugin will have access to:

Data access acknowledgment screen during plugin installation

It is very similar to what you would see when installing a Facebook app. 

From a security standpoint, the first red flag was how many plugins seemed to need way more access to the store data than what seems necessary to perform the task. For example, when performing a shipping cost lookup the shipping address is obviously necessary, but the customer’s name and email address?

It was a clue that perhaps prior to pulling the trigger on installing the plugins and granting an unknown party access to customer data, it might be a good idea to perform some due diligence on the developers. Some comfort might be found in reviewing their reputation as well-reviewed companies.

That exercise was frustrating and a bit scary. While the majority of highly-ranked plugins in the App Store appeared to be backed by legitimate companies, subscription payment processor ReCharge for example, several attractive plugins lacked a corporate website or even people on LinkedIn who worked for these developers. At least one LinkedIn search made it clear the well-reviewed plugin on Shopify was developed by a single person from outside the US. That’s commonplace in software development, but it was enough to arrive at a disturbing conclusion:

These plugins could so easily transport customer data outside of Shopify, and there is a huge lack of transparency about who authors the code. Can just anyone posing as a developer siphon off a shop’s customer data without revealing their identity to the store’s owner?

The next stop was the partner developer agreement to see if this issue was addressed and if there was any recourse in the event there was trouble resulting from a developer’s action or negligence.

But it wasn’t very satisfying. Shopify has no ability to confirm the developer has deleted the data. Ultimately, if something bad happens to a Shopify customer resulting from misuse of their data, it would be nearly impossible to attribute the breach to the moment something was bought on Shopify.

The agreement does include language (“9.14 Industry Standards”) that addresses industry standards regarding data security and requirement to notify Shopify in the event of a breach. Their distilled version states:

If Partner has access to Merchant Data, Partner will only use it to provide services to the Merchant, will not communicate with Merchant’s customers unless explicitly allowed, only keep Merchant Data for as long as necessary to provide its services to the Merchant, use industry standard security measures to protect against security breaches and comply with all laws. If Partner suspects any breach of Merchant Data, Partner will notify Shopify immediately.

How Is This Actually Risky For Shop Owners?

Shopify has a lot of room for improvement in transparency and security. The App Store represents a huge liability for everyone involved, and here’s why:

  • Plugin developers can request more access to customer data than is needed.
  • Data can be transported outside the Shopify cloud infrastructure to plugin developers’ private environments, where no standards or security controls are enforced.
  • Shop owners have poor visibility into developers’ business identities
  • While the privilege-granting acknowledgement screen is informative, most shop owners can’t be expected to think like a cybersecurity auditor. The meaning of the access is not well translated into a definition of risk.
  • There is no way to audit or trace data siphoning and attribute it to malicious usage or identity theft down the road.

By far, the biggest issue with the current Shopify developer ecosystem is that the plugin developers’ access allows them to directly transport, copy, and view customer data in whatever medium they choose to store it. They can pull down names, addresses, emails, phone numbers, and any other customer data into their private environments via Shopify’s Developer REST API.

Sample customer object from the Shopify REST API documentation.

While this is likely the easiest path for many of them to accomplish what they need to do with their plugin logic, it represents a huge security liability. What security standards and controls do they adhere to for their endpoints and data storage? What protocols will they follow in the event of a breach? Do they even have enough visibility into their own systems to detect a breach?

Who’s doing it right? Back to ReCharge, the subscription payment processing plugin. They specifically outline their security and PCI compliance controls on their website. That’s very reassuring.

While it’s possible there are some scammer plugin developers out there, the much more likely scenario is that in the event they suffer a data breach in their private environment, they lack the tooling and controls to be aware of it. The first indicator would be a seemingly uncorrelated abuse of the customer’s data.

What Shopify Should Do

So what is the solution? Shopify is clearly a successful platform that works well, but with great popularity comes a responsibility to improve the safety of the marketplace.

Here are two big steps they can take:

  1. They can build a workload environment where all developer code runs in Shopify-owned containers from which the developers have no direct access to Shopify store owners’ data for their production workloads. Let them perform their logic on the data via some sort of proxy and prevent them from copying it offsite.
  2. They can disclose a lot more information about their developers to help discerning shop owners make informed decisions on who has access to their data.

What Shopify Store Owners Should Do

If you’re a Shopify store owner, don’t use any plugin that requires access to your customer data unless you’re confident the developer is a company (not just an individual) that you can trust.

Remember, you’re making a judgment call on behalf of your customers that their data is respected, used responsibly, and stored securely.

What People Who Buy Things on Shopify Should Know

Don’t stop using Shopify because of these observations. Support small businesses who use Shopify as their storefront.

Set up multi-factor authentication on all your email accounts, and any other accounts worthy of protecting.

It’s important to know and accept the depressing fact that your data has already been stolen, abused, and misused by other platforms many times over. However, we can still encourage leaders in this space, like Shopify, to do more to secure customer data.

Previous Post

A Threat Hunting Primer

Next Post

The Five Biggest Cybersecurity Challenges in 2021