結帳后收據中的 Shopify 腳本顯示付款信息

Question

對 Shopify 做一些研究，以確定我是否要使用它。 所以，我從一個使用它的網站上買了東西，並在每一步都查看了視圖源

我很震驚地看到，在與結帳收據一起返回的 Javascript 中，它們的信用卡信息數量驚人，很容易被黑客查看，因此很容易被黑客捕獲。

這是我所有數據都已更改的示例

<script>
Shopify.checkout = {"created_at":"2019-11-13T19:57:17-    05:00","currency":"USD","customer_id":1234566541236,"customer_locale":"en","email":"zippy@hotmail.com","    location_id":null,"order_id":1870404943944,"payment_due":"114.33","payment_url":"https:\/\/elb.deposit.s  hopifycs.com\/sessions","phone":null,"presentment_currency":"USD","reservation_time":null,"reservation_time_left":0,"requires_shipping":true,"source_name":"checkout_next","source_identifier":null,"source_url":null,"subtotal_price":"99.00","taxes_included":false,"tax_exempt":false,"tax_lines":   [{"price":"6.41","rate":0.06,"title":"OR State Tax"},
 {"price":"1.07","rate":0.01,"title":"Oregon Tax"}],
"token":"4c9d55f9bb8898e40fe36e1e75988070",
"total_price":"114.33",
"total_tax":"7.48",
"updated_at":"2019-11-13T19:57:40-05:00",
"line_items":   [{"id":"0d2b6dd0ad0186984480fb36817f9ed8","key":"0d2b6dd0ad0186984480fb36817f9ed8","product_id":15925165 42536,"variant_id":15850525491272,"sku":"ESI 071252","vendor":"My Shopify Store","title":" Euro High  Flow S1 Male Coupler","variant_title":"3\/8\"  Male","image_url":"https:\/\/cdn.shopify.com\/s\/files\/1\/1239\/9256\/products\/DSC01397.jpg? v=1549034841","taxable":true,"requires_shipping":true,"gift_card":false,"price":"24.75","compare_at_pric e":null,"line_price":"49.50","properties":  {},
"quantity":2,"grams":85,"fulfillment_service":"manual","applied_discounts":[]},
 {"id":"062af9384331b020660f9a021afb55ed","key":"062af9384331b020660f9a021afb55ed","product_id":142986457 9144,"variant_id":12867363536968,"sku":"ESI 071202","vendor":"My Shopify Store","title":" Euro High Flow  S1 Female Coupler","variant_title":"3\/8\"  Female","image_url":"https:\/\/cdn.shopify.com\/s\/files\/1\/1239\/9256\/products\/0U9A6198.jpg? v=1568991566","taxable":true,"requires_shipping":true,"gift_card":false,"price":"24.75","compare_at_pric e":null,"line_price":"49.50","properties":{},
"quantity":2,"grams":85,"fulfillment_service":"manual","applied_discounts":[]}],
"gift_cards":[],
"shipping_rate":{"handle":"BOXIFY (2.0)-USPS%20Priority%20Mail%7CC7739467-7.85","price":"7.85","title":"USPS Priority Mail"},
"shipping_address":  {"id":1234566543458,"first_name":"Tim","last_name":"Simmons","phone":"+15555555555","company":"","address1":"123 Main Street","address2":"","city":"Juxnus","province":"Oregon","province_code":"OR","country":"United States","country_code":"US","zip":"12345"},
**"credit_card":   {"first_name":"Tim","last_name":"Simmons","first_digits":"123456","last_digits":"9876","brand":"american_express","expiry_month":1,"expiry_year":2085,
"customer_id":1234566541236},
"billing_address":   {"id":1234566543458,"first_name":"Tim","last_name":"Simmons","phone":"+19148260061","company":"","address1":"123 Main Street","address2":"","city":"Juxnus","province":"Oregon","province_code":"OR","country":"United     States","country_code":"US","zip":"12345"},**
"discount":null};
</script>

這是標准行為嗎？ 顯示CC、手機號碼、到期信息和賬單地址的10位數字？

如果 Shopify 有人監視 SO

如果這是標准行為或開發人員錯誤，請回復，我當然希望是后者！

Answer 1

如果網站存在諸如 XSS 攻擊之類的安全漏洞，黑客可以竊取任何信息。

但這同樣適用於您的網上銀行，因此需要采取安全措施來防止這種情況發生。

也就是說，Shopify 具有非常安全的結帳流程，因為它每次都重定向到新的結帳流程，並且很難創建有效的 XSS 或 CSRF 攻擊。 （並非不可能，但比 WooCommerce 結賬困難得多）

此外，Checkout 是一個封閉平台，不允許使用任何 APP（他們很快就會支持此功能），只有 Shopify Plus 會員可以實際編輯checkout.liquid文件。

如果卡詳細信息存儲在輸入字段或 JS object 中，沒有區別，如果黑客可以訪問 object，他也將能夠訪問輸入。

此外，Shopify 在 Whitehat 黑客社區中非常活躍，任何報告的錯誤都是為https://hackerone.com/shopify付費的，他們很快就會修復它們。

Shopify 是首選的電子商務解決方案是有原因的。 從安全的角度來看，它比 Magento/WooCommerce 等許多其他自托管服務更安全。