- Consentik, an application for the consent and consent management of cookies for Shopify, maintained confidential data in an open file
- The file was available for at least 100 days, if not more
- It included sites analysis data, Shopify personal access tokens and Facebook authentication tokens
An important Shopify complement of good reputation was to filter confidential information for months, exposing hundreds of electronic commerce companies to all types of risks, experts warned.
Security researchers Cybernews He saw the escape and helped connect the hole, after having discovered a Kafka public access server containing Consentik confidential data.
Consentik is an application of consent and consent management of cookies for Shopify, designed to help store owners to comply with privacy regulations such as GDPR, CCPA, LGPD and others. The Intel found on this server included sites analysis data, Shopify personal access tokens and Facebook authentication tokens.
Serious risk
Consentik was built by a Vietnamese web developer Omegatheme, in 2018, and according to Storeleads data, the consent GDPR cookies banner is currently installed at 4,180 shopify stores, which means there was a lot of information to harvest.
The complement has a 4.9 stars rating and a “made for Shopify” badge, which is presented as a reliable and reliable solution for merchants seeking to comply with global privacy laws.
The report does not indicate how much information was present in the files, or how many electronic commerce sites were exposed to the potential risk. However, he explained that the risk was serious:
“In the wrong hands, a valid Shopify card can mean the total control of a store, including access to customer data, price manipulation, malicious code injection or even replace complete shop windows with similar phishing pages,” the researchers said.
“Meanwhile, the Facebook tokens opened another door to the target accounts connected, which allows the attackers to launch fraudulent campaigns in the ten cents.”
Cybernews‘The researchers did not declare if someone managed to take these files in the past, but said that the file was available for at least 100 days before closing at the end of May 2025.
Through Cybernews
