Vendor: Shopify
Vendor URL: https://shop.app/
Versions affected: Shop Android 2.19.0-release+307, Shop iOS 2.20.0
Authors: Dan Hastings – dan.hastings[at]nccgroup[dot]com
Summary
In the Shop app when adding a package, any data that matches a specific format defined by Shopify that is contained on the global pasteboard (iOS) or clipboard (Android) is automatically sent without user interaction to Shopify’s servers.
Impact
Sensitive PII such as credit card numbers and passwords can live on the global pasteboard. If any sensitive data meets Shopify’s format requirements happens to be on the pasteboard when a user attempts to add a package that data will be sent to Shopify’s servers.
Details
When browsing to the add package screen in the Shop app, data that meets the correct formatting requirements if that data is contained on the global pasteboard/clipboard it will be sent to Shopify’s servers.
In a POST request to: https://arrive-server.shopifycloud.com/graphql
The following string within a the JSON object:
"text": "{\"operationName\":\"DeliveryByTrackingCode\",\"variables\" {\"trackingCode\":\"pasteboard data redacted\"}…
Recommendation to Vendor
Consider not sending any pasteboard to Shopify’s servers. If the pasteboard is needed, then provide users with the ability to deny the Shop app access to data on their clipboard. If clipboard access is granted, implement functionality that determines what type of carrier is contained on the pasteboard on the device before sending to Shopify’s servers.
Recommendation to Users
NCC recommends any users of the Shop iOS and Android app to update to the latest version to be prompted for confirmation before the pasteboard is sent.
Vendor Communication
2020-09-29: Vulnerability reported to Shopify.
2020-01-10: Shopify responds to NCC Group about reported vulnerability.
2020-01-10: NCC Group responds to Shopify.
2020-01-06: NCC Group reaches out to Shopify
2021-06-04: NCC Group meets with Shopify to discuss remediation.
2021-06-11: Shopify patches the vulnerability in most recent Shop app release for Android and iOS
2021-07-02: NCC Group advisory released
About NCC Group
NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate & respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.
Published Date: July 2 2021
Written by: Dan Hastings
Published