I’m no stranger to stumbling upon oddities in software, and this time, I found something big—a vulnerability in a popular Shopify app, Loox Reviews that made me raise an eyebrow. Loox, a well-known reviews app that many Shopify merchants use to build credibility with customer feedback. What I found was a critical flaw that could expose sensitive customer data, all because of an insecure direct object reference (IDOR).
Please note this vulnerability was discovered and fixed in 2023, this blog post is a post-mortem.