Cybersecurity Roundup – February 2023: T-Mobile Fallout, ChatGPT abuse, and Shopify’s Hardcoded API Tokens

This February saw a few API vulnerabilities that should serve not only as cautionary tales, but as face-palm moments. Shopify’s hard-coded API keys mean that 4 million+ users have their PII exposed, ChatGPT isn’t supposed to be able to generate malicious content, but cybercriminals have worked around that, and more fallout from the T-Mobile breach.

Let’s Start with Shopify — Hardcoded API Tokens Present a Huge Risk — and Exposed 4 Million Users Globally

It was reported in February that Shopify was identified by Cybersec company CloudSEK’s BeVigil, putting over 4 million users at risk. Twenty one e-commerce apps were identified as having
22 hardcoded shopify API keys/tokens.

This exposes PII to threat actors. These e-commerce apps are putting close to 4 million users worldwide at risk.

How did this happen? Evidently, Shopify provides several token types used for development, and which provide the requisite level of access needed to access Shopify store data.  The Shopify API key identifies the app or integration making the calls. This API key is generated when users create an app within the Shopify Partner Dashboard. 

The key, being hardcoded, is visible to anyone who has access to the code. There were at least 18 hardcoded keys that allowed viewing sensitive data, 7 API keys that allow view/modify of gift cards, and 6 API keys that allow obtaining payment account information.



As reported by TechCircle,

CloudSEK researchers have found that of the total hardcoded keys, at least 18 keys allow viewing customer-sensitive data, 7 API keys allow viewing/modifying gift cards and 6 API keys allow obtaining payment account information, including balances and payouts. “While the total number of downloads of these apps exceeds 182K, the actual number of impacted users is significantly more,” it said.  

The company said, while this situation is not a limitation of the Shopify platform, it highlights the issue of API keys/tokens being leaked by app developers. As part of responsible disclosure, CloudSEK has notified Shopify and the affected apps about the hardcoded API keys.

Once an attacker has that key, they can access sensitive data (see our take on the rising risk of Sensitive Data Exfiltration) or take actions within the program. The shame of it is that this is pretty avoidable.  According to Vishal Singh, senior security engineer at CloudSEK, “”The recent discovery of hardcoded Shopify keys in numerous Android apps is just another example of the lack of proper API Security in the industry.”

Hackers Bypass ChatGPT Restrictions to Perpetuate Malicious Use

Security researchers at Check Point revealed that the natural language ChatGPT interface shuts down explicit prompts for it to do bad things such as writing a phishing email impersonating a bank or creating malware.

Here’s an example that researchers recently found. This is an instance of cybercriminals using ChatGPT to “improve” the code of a basic Infostealer malware from 2019. Although the code is not complicated or difficult to create, ChatGPT improved the Infostealer’s code.



ChatGPT was also recently used to create a ransomware Python script, and a Java snippet that allows secret downloads of Windows apps. As you can expect, the possibilities are endless. The security house of cards continues to fall via unsecured APIs, and for something with as much potential as ChatGPT, we can only expect that to escalate even more quickly.


T-Mobile Breach Fallout

The ripple effects of the (most recent) T-Mobile hack continue to spill, this time with a
Google Fi hack victim’s Coinbase and MFA app hijacked.  It’s exactly how it sounds, a victim had his coinbase account hacked, his MFA hijacked, and his outlook email compromised.  It is still unclear how the hackers were able to pull off so much, but the best clue we’ve gotten was an email sent to him from Google Fi informing him and all customers that hackers had stolen their information, in connection with the T-Mobile breach.  Not securing your APIs is clearly not a victimless crime.




About Traceable API Security

Traceable is the industry’s leading API security platform that identifies APIs, evaluates API risk posture, stops API attacks, and provides deep analytics for threat hunting and forensic research. With visual depictions of API paths at the core of its technology, its platform applies the power of distributed tracing and machine learning models for API security across the entire development lifecycle. Visual depictions provide insight into user and API behaviors to understand anomalies and block API attacks, enabling organizations to be more secure and resilient. Learn more at traceable.ai.