Yopify commerce plugin is leaking credentials – UPDATE NOW

A vulnerability in a plugin that is used by hundreds and possibly thousands of web shops made it possible for an attacker to retrieve customer’s first and last name, purchases, and location information. It is about the plug-in Yopify, which can be used on various web platforms like:

  • BigCommerce
  • WooCommerce
  • Shopify
  • LemonStand

The plug-in shows potential customers every few seconds a pop-up with what other customers have purchased. This includes the first name, initial letter of the other customer’s last name and place of residence, as well as the purchased product. This all happens without the user’s permission. Security company investigators Rapid7 discovered that it was possible to download the data from the last 50 customers through the plug-in.

YOPIFY provides – E-Commerce apps that help boost sales, increase conversions

It also included data that was not visible in the popup, such as full first and last name and city-level location data. An attacker could do this every few hours to create a database of customers and purchased products.

Yopify was warned on March 22, but there was no response. After several attempts to get in touch with the company, a first response was at 18 May. Yopify has now rolled out a patch.

Founder of Cyberwarzone.com.