A widely used Shopify plugin designed to help merchants comply with privacy laws had inadvertently put hundreds of online stores in danger. Recent findings reveal a major security flaw that kept sensitive data exposed for months.
Analysis by security researchers at Cybernews found that Consentik, an app launched in 2018 and rated highly on Shopify, was running a misconfigured Apache Kafka server. This server was openly accessible on the internet, leaking real-time website analytics and crucial authentication tokens. The leak lasted for over four months before it was finally secured.
Consentik, developed by Omegatheme, is meant to simplify compliance with privacy laws and requirements such as GDPR or CCPA by adding cookie consent banners to online stores. Trusted by thousands of merchants worldwide and has a 4.9-star rating, it’s been one of the go-to solutions for many.
The exposed information included:
- Website analytics data — details about visitors and how they interacted with the site
- Shopify admin credentials — tokens that could allow hackers to fully control a store
- Facebook ad tokens — access to linked advertising accounts
In the hands of cybercriminals, these tokens could be used to hijack stores, steal customer information, manipulate product prices, or inject malicious code. They could even replace your store with a fake version to trick customers into giving away their payment info.
Anyone who knew where to look could access sensitive data from hundreds of stores. This creates a serious risk—attackers could potentially take over stores or run fraudulent advertising campaigns on behalf of merchants. Once the researchers reached out to Omegatheme, they quickly moved to fix the problem.
This incident underscores that security isn’t a one-time setup and even trusted, highly-rated apps aren’t immune to vulnerabilities. As a store owner, it’s crucial to stay vigilant: regularly check your apps, limit permissions, and keep everything updated. Doing so can help prevent your store from becoming a target.
Leave a Reply