Bots and Spam accounts

Hopefully this is the correct category for this post.

I have a client that recently is seeing an increase in fake accounts creation where customers are being created without first, last or both names.
They only have two methods of creating an account for their store. One being the account page and the other one being during checkout. Both methods require first name and last name by default.

So therefore i have done a bit of an investigation piece around this and i strongly believe that Shopify’s new hCaptcha has security issue.
Let me break it down:

Shopify uses a public endpoint for create_customer which can be triggered with a POST request. Based on that, i have created a postman POST request in order to create a customer via this endpoint. (screenshot below)

This seems to work nicely, however i was not able to finalise it because, since this is a request that can be done without the admin API, it will be subject to the same verification process like creating an account via the frontend. In other words, i need to send a hCaptcha token with the request.

Since hCaptcha is managed by Shopify i do not have access to generate access tokens on demand.

Apparently, there are ways to generate a hCaptcha verification token, programatically, and use that token in the create_customer call. However this would violate Shopify policies so i did not want to use it and get us in any trouble.

The way to do it is by using a 3rd party service that handles captcha verifications such as 2captchas. We send a request to 2captchas with the hCaptcha site-key and domain which returns us the verification token. This verification token is then used in the call for create_customer in Shopify. In theory this would allow us to create a customer only with an email address - which is suppose the method used by our attackers.

Since actioning further on this would risk our account getting flagged because would violate Shopify’s policies, so i have not fully tested this avenue.

It is worth mentioning that the hCaptcha uses a site-key that Shopify exposes on the frontend - which i believe is what the attackers use in order to generate a fake access token.

Also worth mentioning, this wasn’t an issue with the google captcha and it’s something that my client is experiencing lately, after Shopify introduced hCaptcha.

In Conclusion, fake customer can be created with POST requests and clever engineering. While we do have a flow in place that deletes any fake account created in Shopify, the flow is not acting quick enough so that these accounts do not get created in our email service platform and therefore causing us unecessary costs.

Currently, a few potential solutions to mitigate this are on the table with my team, including a custom middleware app for the account creation where we do the validation server side and stop using the native hCaptcha since is flawed. However this has not yet been approved.

Would be good to know if anyone else is experiencing this and if Shopify has any plans for fixing this.

Hi Octavian,

Thanks for flagging this - and for describing your steps to test this approach. I’ve brought this to the attention of our internal product teams and will update here when I hear back.

1 Like

DMing you for follow up questions.

Sure no problem. Thanks for picking this up