Information disclosure ( Google Sales Channel )

The vulnerability affects Shopify stores using the Google Sales Channel. Even if a store is protected with a password, attackers can query the endpoint google-shopping.shopifycloud.com/shopify/products?shop=&id=&locale=en with a valid product ID. The response discloses sensitive information including the data-channel-id and the data-user-email associated with the store. This bypasses the intended privacy protections of password-protected stores and leaks sensitive identifiers and email addresses, which could be abused for targeted phishing, account takeover attempts, or large-scale data harvesting. For non-password-protected stores, exploitation is even easier since product IDs can be enumerated or discovered. The root cause is insufficient access control on Shopify’s Google Sales Channel integration, leading to unauthorized disclosure of sensitive store and user information.

This summary was generated by AI