在结帐后显示付款信息后,从收据开始执行脚本。
在结帐后显示付款信息后,从收据开始执行脚本。
提问于 2019-11-14 14:51:28
做一些关于Shopify的研究,以确定我是否想使用它。因此,我从一个使用它的站点购买了一些东西,并在每一步查看视图源。
我震惊地看到,在随结账收据返回的Javascript中,他们的信用卡信息数量惊人,容易被黑客查看,因此很容易被捕获。
这是一个样本,我的所有数据都被更改了
<script>
Shopify.checkout = {"created_at":"2019-11-13T19:57:17- 05:00","currency":"USD","customer_id":1234566541236,"customer_locale":"en","email":"zippy@hotmail.com"," location_id":null,"order_id":1870404943944,"payment_due":"114.33","payment_url":"https:\/\/elb.deposit.s hopifycs.com\/sessions","phone":null,"presentment_currency":"USD","reservation_time":null,"reservation_time_left":0,"requires_shipping":true,"source_name":"checkout_next","source_identifier":null,"source_url":null,"subtotal_price":"99.00","taxes_included":false,"tax_exempt":false,"tax_lines": [{"price":"6.41","rate":0.06,"title":"OR State Tax"},
{"price":"1.07","rate":0.01,"title":"Oregon Tax"}],
"token":"4c9d55f9bb8898e40fe36e1e75988070",
"total_price":"114.33",
"total_tax":"7.48",
"updated_at":"2019-11-13T19:57:40-05:00",
"line_items": [{"id":"0d2b6dd0ad0186984480fb36817f9ed8","key":"0d2b6dd0ad0186984480fb36817f9ed8","product_id":15925165 42536,"variant_id":15850525491272,"sku":"ESI 071252","vendor":"My Shopify Store","title":" Euro High Flow S1 Male Coupler","variant_title":"3\/8\" Male","image_url":"https:\/\/cdn.shopify.com\/s\/files\/1\/1239\/9256\/products\/DSC01397.jpg? v=1549034841","taxable":true,"requires_shipping":true,"gift_card":false,"price":"24.75","compare_at_pric e":null,"line_price":"49.50","properties": {},
"quantity":2,"grams":85,"fulfillment_service":"manual","applied_discounts":[]},
{"id":"062af9384331b020660f9a021afb55ed","key":"062af9384331b020660f9a021afb55ed","product_id":142986457 9144,"variant_id":12867363536968,"sku":"ESI 071202","vendor":"My Shopify Store","title":" Euro High Flow S1 Female Coupler","variant_title":"3\/8\" Female","image_url":"https:\/\/cdn.shopify.com\/s\/files\/1\/1239\/9256\/products\/0U9A6198.jpg? v=1568991566","taxable":true,"requires_shipping":true,"gift_card":false,"price":"24.75","compare_at_pric e":null,"line_price":"49.50","properties":{},
"quantity":2,"grams":85,"fulfillment_service":"manual","applied_discounts":[]}],
"gift_cards":[],
"shipping_rate":{"handle":"BOXIFY (2.0)-USPS%20Priority%20Mail%7CC7739467-7.85","price":"7.85","title":"USPS Priority Mail"},
"shipping_address": {"id":1234566543458,"first_name":"Tim","last_name":"Simmons","phone":"+15555555555","company":"","address1":"123 Main Street","address2":"","city":"Juxnus","province":"Oregon","province_code":"OR","country":"United States","country_code":"US","zip":"12345"},
**"credit_card": {"first_name":"Tim","last_name":"Simmons","first_digits":"123456","last_digits":"9876","brand":"american_express","expiry_month":1,"expiry_year":2085,
"customer_id":1234566541236},
"billing_address": {"id":1234566543458,"first_name":"Tim","last_name":"Simmons","phone":"+19148260061","company":"","address1":"123 Main Street","address2":"","city":"Juxnus","province":"Oregon","province_code":"OR","country":"United States","country_code":"US","zip":"12345"},**
"discount":null};
</script>这是标准的行为吗?显示10位数字的CC,移动电话号码,过期信息和帐单地址?
如果来自Shopify的人如此监视
请回复如果这是标准行为或开发人员错误,我当然希望是后者!
回答 1
Stack Overflow用户
回答已采纳
发布于 2019-11-15 09:22:08
如果网站有安全漏洞,黑客可以窃取任何信息,比如XSS攻击。
但这同样适用于你的网上银行,所以这就是为什么有安全措施来防止这一点。
也就是说,Shopify有一个非常安全的签出流,因为它每次都重定向到一个新的签出,并且很难创建一个可以工作的XSS或CSRF攻击。(不是不可能,但比WooCommerce结帐要困难得多)
此外,Checkout是一个封闭的平台,不允许任何应用程序(它们很快就会对此提供支持),而且只有Shopify成员才能实际编辑checkout.liquid文件。
如果卡的详细信息存储在输入字段或JS对象中,那么如果黑客能够访问该对象,那么他也可以访问输入。
此外,Shopify在Whitehat Hacker社区非常活跃,任何报告的bug都是为https://hackerone.com/shopify付费的,他们很快就会修复它们。
Shopify是首选的电子商务解决方案,这是有原因的。从安全的角度来看,它比其他许多自我托管的服务(比如Magento/WooCommerce )要安全得多。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/58859608
复制相关文章
相似问题
腾讯云开发者
