How to handle webhook expoit?

Hi Iam a shopify app developer. Currently my one app is listed.

Recently someone with store URL: v0srmi-gv.myshopify.com downloaded my app. The main issue with this is he has some kind of script which is creating a customer every 2-4 sec. Its affecting our database and network. Is there any way to unsubscribe the webhooks of this store without making him uninstall? Or any other way to handle this situation. Attaching screenshot for better reference.

image481×721 44.8 KB

Hi @Murgesh_Ekunde,

Sometimes you’ll get a burst of webhooks from a single store but it doesn’t necessarily mean that they’re trying to cause harm. For example, they could be migrating old orders to Shopify, which would have the effect of creating a new customer every couple seconds.

I’m not sure what your set up is but there’s a few quick things you can do:

• If you have shop-specific webhooks that you create through the REST or GraphQL API you can make an API call to delete the specific webhook in question. This will get your data out of sync so you might need to do a reimport of all data at a later point.
• If you’re using app-specific webhooks (ie, ones that are configured in the TOML file), as a temporary measure you could deploy code to ignore messages from a specific Shopify domain. Instead of processing the whole message, just return with an HTTP 200 OK

Longer term some of the following could help:

• Process your webhook messages with background workers and a queue (if you’re not already) and assign a lower priority to messages from high-volume stores
• See if you can optimize your code to handle a new customer every few seconds

I hope this helps,
Daniel

One other thing I would recommend is using a managed messaging system such as Google Pub/Sub. This will enable your app to more easily handle large spikes and you can process messages at your own pace without losing data.

We have a tutorial that walks through how to use declarative webhooks and Google Pub/Sub.