结帐后收据中的 Shopify 脚本显示付款信息

Question

Doing some research on Shopify, to determine if I want to use it. So, I bought something from a site that uses it, and looked at the view source at each step

I was horrified to see that in the Javascript returned with the checkout receipt, their is a horrifying amount of credit card info easily viewed and therefore easily captured by a hacker.

Here is a sample with all my data changed

<script>
Shopify.checkout = {"created_at":"2019-11-13T19:57:17-    05:00","currency":"USD","customer_id":1234566541236,"customer_locale":"en","email":"zippy@hotmail.com","    location_id":null,"order_id":1870404943944,"payment_due":"114.33","payment_url":"https:\/\/elb.deposit.s  hopifycs.com\/sessions","phone":null,"presentment_currency":"USD","reservation_time":null,"reservation_time_left":0,"requires_shipping":true,"source_name":"checkout_next","source_identifier":null,"source_url":null,"subtotal_price":"99.00","taxes_included":false,"tax_exempt":false,"tax_lines":   [{"price":"6.41","rate":0.06,"title":"OR State Tax"},
 {"price":"1.07","rate":0.01,"title":"Oregon Tax"}],
"token":"4c9d55f9bb8898e40fe36e1e75988070",
"total_price":"114.33",
"total_tax":"7.48",
"updated_at":"2019-11-13T19:57:40-05:00",
"line_items":   [{"id":"0d2b6dd0ad0186984480fb36817f9ed8","key":"0d2b6dd0ad0186984480fb36817f9ed8","product_id":15925165 42536,"variant_id":15850525491272,"sku":"ESI 071252","vendor":"My Shopify Store","title":" Euro High  Flow S1 Male Coupler","variant_title":"3\/8\"  Male","image_url":"https:\/\/cdn.shopify.com\/s\/files\/1\/1239\/9256\/products\/DSC01397.jpg? v=1549034841","taxable":true,"requires_shipping":true,"gift_card":false,"price":"24.75","compare_at_pric e":null,"line_price":"49.50","properties":  {},
"quantity":2,"grams":85,"fulfillment_service":"manual","applied_discounts":[]},
 {"id":"062af9384331b020660f9a021afb55ed","key":"062af9384331b020660f9a021afb55ed","product_id":142986457 9144,"variant_id":12867363536968,"sku":"ESI 071202","vendor":"My Shopify Store","title":" Euro High Flow  S1 Female Coupler","variant_title":"3\/8\"  Female","image_url":"https:\/\/cdn.shopify.com\/s\/files\/1\/1239\/9256\/products\/0U9A6198.jpg? v=1568991566","taxable":true,"requires_shipping":true,"gift_card":false,"price":"24.75","compare_at_pric e":null,"line_price":"49.50","properties":{},
"quantity":2,"grams":85,"fulfillment_service":"manual","applied_discounts":[]}],
"gift_cards":[],
"shipping_rate":{"handle":"BOXIFY (2.0)-USPS%20Priority%20Mail%7CC7739467-7.85","price":"7.85","title":"USPS Priority Mail"},
"shipping_address":  {"id":1234566543458,"first_name":"Tim","last_name":"Simmons","phone":"+15555555555","company":"","address1":"123 Main Street","address2":"","city":"Juxnus","province":"Oregon","province_code":"OR","country":"United States","country_code":"US","zip":"12345"},
**"credit_card":   {"first_name":"Tim","last_name":"Simmons","first_digits":"123456","last_digits":"9876","brand":"american_express","expiry_month":1,"expiry_year":2085,
"customer_id":1234566541236},
"billing_address":   {"id":1234566543458,"first_name":"Tim","last_name":"Simmons","phone":"+19148260061","company":"","address1":"123 Main Street","address2":"","city":"Juxnus","province":"Oregon","province_code":"OR","country":"United     States","country_code":"US","zip":"12345"},**
"discount":null};
</script>

Is this standard behavior? Showing 10 digits of the CC, mobile number, the expiration info and billing address?

If someone from Shopify monitors SO

PLEASE respond if this is standard behavior or a developer error, I certainly hope its the latter!

Answer 1

A hacker can steal any information if the site has a security hole like some sort of XSS attack.

But the same applies for your online banking, so that's why there are security measures to prevent that.

That said Shopify has a very secure checkout flow, since it's redirecting to a new checkout every time and it's very hard to create a working XSS or CSRF attack. ( not impossible, but a lot harder then a WooCommerce checkout for example )

In addition the Checkout is a closed platform, no APPs ( they will have support for this soon ) are allowed there and only Shopify Plus members can actually edit the checkout.liquid file.

There is no difference if the card details are stored in a input field or in a JS object, if a hacker can get to the object he will be able to get to the inputs as well.

In addition Shopify is very active in the Whitehat Hacker Community any reported bug is paid for https://hackerone.com/shopify and they are quick to fix them.

There is a reason why Shopify is the preferred E-Commerce solution. From security point of view it's a lot safer then a lot of other self hosted services like Magento/WooCommerce.