Shopify API Credentials Exposed

Question

I received email from Shopify like :

This is Shopify’s Partner Governance team. We are reaching out as our security team discovered that secret API credentials for the Public/Draft app S**y have been exposed in the following public repository:

We require that you eliminate this vulnerability by a) closing the above exposure, and b) address the vulnerable app by re-creating a new version of the app with new credentials and deleting the exposed app

So, Do I have to delete the Shopify app or is it fine if I only delete that repo? As I don't want to remove old app because getting an access of some points in Shopify app but it will take too much time.

score 0 · Answer 1 · answered Jul 08 '22 at 08:29

0

You should follow what they are saying. You don't need to delete the app.

Yuo remove the credentials from the repository (keep in mind that is not sufficient to just remove the file and push because it will still be in the git history - check here How to remove file from Git history?)
You go into the app settings on shopify.dev and recreate your API secrets.

answered Jul 08 '22 at 08:29

Fabio Filippi

1,732
25
40

I already delete the repo Is is going to work? – vishwas solanki Jul 08 '22 at 11:27
Yes, remember to update your secrets. – Fabio Filippi Jul 08 '22 at 15:17

Shopify API Credentials Exposed

1 Answers1