Shopify is leaking personal identifiable customer data

Posted on March 29th, 2018 under Web Development & Design by Chris Lever

I spotted something usual with Shopify recently on one of the client’s websites I work with. It appears you’re able to see customer order details such as the name, shipping address, product order info and last 4 of credit card details.

Guess how I found this? Strangely enough, in the organic search acquisition channel in Google Analytics. If you are a Shopify store owner, here is how you can replicate the conditions.

Login into your Google Analytics account and navigate to: Acquisition > Channels > Organic Search

Then type in order in the advanced search box.

Do you see a bunch of URLs similar to this?

https://www.mywebsite.com/17709403/orders/0a437097555b80f3aa29502b255d875b/authenticate?key=70603d3e47abb4455a270c03dc2e2348

Copy that link and paste it into the address bar in an incognito browser window. Hit return. Do you see the customer order information? Do you not think that’s a little worrying? Especially coming from the organic search channel in Google Analytics.

When I first saw it, I was scratching my head thinking WTF. Are the order details URLs being indexed? Thankfully they are not, I suspect it’s probably the customer themselves copy/pasting the order details confirmation URL directly into the Google Search bar.

Here’s another twist, the order confirmation page with customer details has the potential to be indexed in Google. Here’s why, if you study the Shopify robots.txt file. You will see that /orders is blocked off in the robots file.

But the URL is store ID forward-slash orders. Example: 17709403/orders/ A quick check in Google Search Console using the robots.txt testing tool and fetch as Google tool will allow you to render and index those URLs. There’s no canonical tag set in the customer order confirmation page, so yep technically they can be indexed.

Shocking right? More annoyance is that you cannot edit the shopify robots.txt file. A workaround that is the URL parameters tool in Google Search Console. For now, until Shopify fix their robots.txt, I would recommend you block Googlebot from crawling the orders directory in the URL parameters tool.

That still leaves the issue with viewing all the customer order details in Google Analytics, I bet that’s not GDPR compliant. I suppose for now you could include it in your excludes list.

I wonder how long it takes Shopify to fix this? Who knows??? I tested the above on 3 Shopify sites, all with exactly the same results.

Spread the love

© 2011 - 2018 - Sitebee Search Consultancy