Sezzle Plugin on Shopify Compromised?
SEO expert Jesse Hanley is reporting on Twitter his discovery that 442 stores on the Shopify platform are mining cryptocurrency, apparently without authorization.
If anyone is using @Shopify's @SezzleInc plugin then you've been compromised.
It's currently injecting @coinhive_com into all stores.
Loads 5x iframe's which all run it in the browser.
Trying to contact @ShopifyPlus with zero luck (direct line, everyone is asleep). pic.twitter.com/pqEkyk50M9
— ˗ˏˋ Jesse Hanley ˎˊ˗ (@jessethanley) March 25, 2018
Hanley has concluded that the Coinhive javascript has been injected into all Shopify stores running the Sezzle plugin. Hanley intended to inform Sezzle of the possible compromise but could not find someone to talk to at the company when it was very late Saturday night.
Every single @sezzleinc store is compromised and I can't find a bloody phone number to call.
What an awful way to do business.
442 stores mining #crypto w/o authorization: https://t.co/Ff0nWXt3wB https://t.co/B9iB3epoav
— ˗ˏˋ Jesse Hanley ˎˊ˗ (@jessethanley) March 25, 2018
The official Twitter account of Shopify Plus did eventually respond with assurances that the issue would be looked at.
Hi, Jesse! We are here to help! May you please email our team at [email protected] and send us a PM with the ticket number you receive? This way we can dig into this in more detail. Thanks! – Jade
— Shopify Support (@ShopifySupport) March 25, 2018
For the record, Coinhive does not steal or damage any data. The most harm it does — if it can be called that — is draining some extra electricity from the computers of visitors who visit a website that deploy the script in the web visitor’s browser. Extended nonstop use may result in the shortened lifespan of hardware. Most authorized implementations of Coinhive, however, do ask for the visitor’s permission.
Sezzle Inc. is an alternative payment platform that promises to increase sales and basket sizes by enabling interest-free installment plans at online stores. When you pay with Sezzle, your purchase is split into four interest-free installments automatically scheduled over the next six weeks. Sezzle is based in Minneapolis with an office in San Francisco.