Shopify Left Users at Risk with Refusal to Fix RFD Vulnerability

Shopify has long been a major staple for assisting business owners to have a presence on the internet to sell and market their products. So far, from the statistics and feedback from Shopify users, the services have proved its worth many times over and continue to be one of the most popular streamlined methods of selling products over the internet for a wide demographic of business owners who are new to internet marketing.

On the flip side of all that's good in the world of Shopify and their offered services, Portuguese Web security researcher David Sopas uncovered a RFD (Reflected File Download) vulnerability within Shopify's platform. The vulnerability is one that relied on hackers to craft up URLS that if clicked on it would open a file download that seems to come from a trusted site.

The file downloaded on the questionable site that pretends to be a trusted source contains a malicious payload that is launched after the file is executed.

The RFD exploit, according Sopas' research, allows hackers to trick users into downloading dangerous files onto their system. His research shows us that the app.shopify.com domain is susceptible to the DFD attack that prompts users to obtain a malicious download on their system and later execute the file or files.

As far as the web browsers that the RFD exploit can be accessed on, there seems to be very little limitations. The RFD attack is exploitable on new and old web browsers, including Internet Explorer versions 8 and 9 and several Google Chrome versions. While each web browser may handle the files differently, through various redirects the user may be presented that serves the exploit without sparking any curiosity.

In the instances of using Internet Explorer and being exploited by the RFD attack, the file would need to be declared with a 'download' attribute inside a linkable element on the web page. IN other words, the malicious file cannot be integrated in the malicious URL.

Clicking on the malicious link that is tied to the RDF attack exploit will issue a download confirmation popup window where the file download location would be from Shopify. Mr. Sopas discovery of this vulnerability and notification to Shopify to fix it has led to a dead end. In that, Shopify has not prioritized a fix for this vulnerability and it is not going to be patched any time soon as exclaimed by Shopify in a message addressed to Sopas.

The timeline of the RFD vulnerability started on March 19, 2015, upon its discovery and continues to remain unpatched at the time of this article's published date. With Shopify's denial to acknowledge or patch the vulnerability, it is lead folks like Sopas to never utilize their service again.

Some researchers believe that Shopify will have no choice but to remedy the vulnerability once the news of such hits large information security sites.