Discovering a Critical Vulnerability in a Shopify App: Loox Reviews
I’m no stranger to stumbling upon oddities in software, and this time, I found something big—a vulnerability in a popular Shopify app, Loox Reviews that made me raise an eyebrow. Loox, a well-known reviews app that many Shopify merchants use to build credibility with customer feedback. What I found was a critical flaw that could expose sensitive customer data, all because of an insecure direct object reference (IDOR).
Please note this vulnerability was discovered and fixed in 2023, this blog post is a post-mortem.
The Vulnerability: What Was the Issue?
It all started with a seemingly innocent GET request. I was poking around the Loox reviews widget for some work project when I noticed something odd. Loox uses publicly accessible merchant IDs as part of their request URL. No big deal, right? Well, it became a big deal when I realized that by simply modifying the merchant ID in the URL, I could access another merchant’s review data—including sensitive customer information, such as email addresses, review content, and admin settings. It's one thing to access publicly-available information, product reviews in this case, but this was much more.
To make matters worse, this didn’t even require any sort of authentication. Anyone, even if not logged in to Shopify, could exploit this vulnerability. All an attacker had to do was find a merchant ID (easily scraped from public pages) and modify a URL. With that simple change, you could pull down entire CSV files filled with reviews and customer data.
The Technical Breakdown
At the core of the issue was Loox’s hash generation mechanism. When a URL is requested, Loox generates a hash via a public URL, and this process bypasses standard authentication protocols. The system allowed anyone with the right merchant ID to manipulate the URL, grab an export hash, and download review data—all without needing a valid login.