Technical Advisory – Shop app sends pasteboard data to Shopify’s servers

Vendor: Shopify
Vendor URL: https://shop.app/
Versions affected: Shop Android 2.19.0-release+307, Shop iOS 2.20.0
Authors: Dan Hastings – dan.hastings[at]nccgroup[dot]com

Summary

In the Shop app when adding a package, any data that matches a specific format defined by Shopify that is contained on the global pasteboard (iOS) or clipboard (Android) is automatically sent without user interaction to Shopify’s servers.

Impact

Sensitive PII such as credit card numbers and passwords can live on the global pasteboard. If any sensitive data meets Shopify’s format requirements happens to be on the pasteboard when a user attempts to add a package that data will be sent to Shopify’s servers.

Details

When browsing to the add package screen in the Shop app, data that meets the correct formatting requirements if that data is contained on the global pasteboard/clipboard it will be sent to Shopify’s servers.

In a POST request to: https://arrive-server.shopifycloud.com/graphql

The following string within a the JSON object:

"text": "{\"operationName\":\"DeliveryByTrackingCode\",\"variables\" {\"trackingCode\":\"pasteboard data redacted\"}…

Recommendation to Vendor

Consider not sending any pasteboard to Shopify’s servers. If the pasteboard is needed, then provide users with the ability to deny the Shop app access to data on their clipboard. If clipboard access is granted, implement functionality that determines what type of carrier is contained on the pasteboard on the device before sending to Shopify’s servers.

Recommendation to Users

NCC recommends any users of the Shop iOS and Android app to update to the latest version to be prompted for confirmation before the pasteboard is sent.

Vendor Communication

2020-09-29: Vulnerability reported to Shopify. 
2020-10-01: Shopify responds to NCC Group about reported vulnerability.
2020-10-01: NCC Group responds to Shopify.
2021-01-06: NCC Group reaches out to Shopify
2021-06-04: NCC Group meets with Shopify to discuss remediation.
2021-06-11: Shopify patches the vulnerability in version 2.27.1 of the Shop app for Android and iOS
2021-07-02: NCC Group advisory released

About NCC Group

NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate & respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.

Published Date: July 2 2021

Written by: Dan Hastings

[Editor’s note: This post was modified slightly on July 3rd to correct for the January 2021 elements in the disclosure timeline, which previously incorrectly read as if from January 2020, as well as to add version numbers for the patch release date].