Fail-open: how a 3-day window in the App Store review pipeline let through a credential-stealer

Coordinated disclosure of a publish-flow bug we reported to Shopify Trust on March 14. Malicious updates were briefly approved without the static-analysis gate firing. Patched on March 17.

This analysis comes out of the Starship research team's continuous audit of the Shopify ecosystem. Every app that reaches a merchant store is rescanned for permission drift, undeclared data destinations, and provenance changes. Occasionally a pattern emerges that's worth writing up in full.

What we found

On the surface the listing looked unremarkable: a well rated app, a verified publisher badge, and a privacy policy that said all the right things. The behavior told a different story. Static analysis of the theme app extension surfaced an obfuscated loader, and network observation confirmed that storefront events were being beaconed to hosts that never appeared in the app's declared subprocessor list.

Crucially, none of this required installing the app on a live store. The same signals (requested OAuth scopes, declared destinations, TLS posture, and publisher history) are available before a single line of vendor code touches a storefront.

The gap between what an app declares and what it actually does is where merchant risk lives.

Why it matters

Merchants approve apps based on ratings and a short permissions prompt. Neither captures where data goes after install, who the publisher really is, or whether a recently changed owner has quietly broadened the app's reach. A single risky install can expose checkout PII, customer records, and order history across every channel the store runs.

What to do

Treat every install as a supply chain decision. Check the Starship report before approval, watch the score for drift after install, and wire verdicts into the review workflow your team already uses so a newly flagged change triggers action automatically. Not an incident review three months later.