Shopify Forms overwrites the customer with no authentication

There’s an issue with Shopify Forms where a form submission will overwrite the customer required regardless of whether the user submitting the form is logged in or not.

So say there is an existing customer with the email bob@example.com.

Then I go to the site and fill out the form using bob@example.com and my own name - it will overwrite that customer record with the details I filled out.

Hi Kalen,

Thanks for flagging this. I’ve reached out to the relevant team to highlight this to them - will update here when I hear back from them.

1 Like

Hi again Kalen,

The product team that owns this area have confirmed that currently, we don’t have any validation checking if the user is logged in. We’re matching based on email (and phone if submitted) and saving the latest submission info. We don’t allow overwriting of information like phone and email, but we do overwrite information on the metafields. The team are exploring how this could be improved but no details to share on that for the moment.

1 Like

But first name and last name I believe are overwritten as well? I’m not sure I’ve tested much beyond that.

Metafields are also overwritten. The fact that there’s no security around this blows my mind.

2 Likes