- Consentik, a cookie consent application and consent management for Shopify, has retained sensitive data in an open archive
- The archive was available for at least 100 days, if not more
- It included site analysis data, Shopify personal access tokens and Facebook authentication tokens
A major and renowned Shopify plugin, said sensitive information for months, exhibiting hundreds of electronic commerce companies to all kinds of risks, experts warned.
Safety researchers of Cyberness Spotted the flight and helped plug the hole after discovering a Kafka server accessible to the public which contained sensitive data from Consentik.
Consentik is a cookie management and consent application for Shopify, designed to help store owners comply with confidentiality regulations such as the GDPR, CCPA, LGPD and others. The Intel found on this server included site analysis data, Shopify personal access tokens and Authe tokens.
Serious risk
Consentik was built by a Vietnamese web developer Omegatheme, in 2018, and according to data from StoreLeads, the GDPR consentik cookies banner is currently installed on 4,180 Shopify stores, which means that there was a lot of information to harvest.
The plugin has a note of 4.9 stars and a badge “made for Shopify”, presenting itself as a reliable and reliable solution for traders who seek to comply with the global confidentiality laws.
The report does not indicate the amount of information present in the archives, nor the number of electronic commerce sites exposed to a potential risk. However, he explained that the risk was serious:
“In bad hands, a valid Shopify token can signify the total control of a store, including access to customer data, price handling, malicious code injection or even replacement of entire windows with pages of phishing by look,” said the researchers.
“The Facebook tokens, on the other hand, have opened another door to connected Meta ADS accounts, allowing attackers to launch fraudulent campaigns on the penny of the merchant.”
Cyberness“The researchers have not declared if someone has managed to enter these files in the past, but he said that the archives were available for at least 100 days before being closed in late May 2025.
Via Cyberness
