Rapid7 disclosed a found vulnerability in Yopify, an ecommerce notification plugin utilised by a number of websites including Shopify, that indirectly leaks the first name, last initial, city and purchase data of recent online shoppers – all without user authorisation. The various plugin sites show over 300 reviews of Yopify, which suggests that the number of exploitable sites is at least in the hundreds, and perhaps thousands.
While seemingly harmless at first glance, this personal shopper data can be used by hackers to infer parts of customers’ identities making them vulnerable to personal information breaches, blackmail and even violence.
You can find the full vulnerability report here: https://community.rapid7.com/community/infosec/blog/2017/05/31/r7-2017-05-centire-yopify-information-disclosure-cve-2017-3211
About the Author
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
