Starship
starship / search / shiprocket

Audit report

Shiprocket ‑ Shipping in India

CriticalReach : broad

by Shiprocket · Orders and shipping · Shopify App Store

Orders and shipping
Risk level
Critical
Executive summary

eCommerce logistics service with lowest courier rates in India

Key insights

  • Confirmed September 2025 data breach claim with 8M+ records and a PoC for sale, supply-chain risk for every connected merchant.
  • Two critical CVEs (CVE-2025-0580 / CVE-2025-0579) in Shiprocket Module on OpenCart show poor authorization controls in the publisher's integration codebase.
  • Publisher domain has clean TLS (Cloudflare), HSTS preload, and a content-security-policy header, but script-src includes unsafe-inline/unsafe-eval.
  • Rating 4.2 / 684 reviews, no Built for Shopify badge.

Top findingsview all

  • Critical
    Major data breach (8M+ records, Sep 2025)
  • Critical
    CVE-2025-0580, critical auth bypass in Shiprocket Module 3 (OpenCart)
  • High
    Database reportedly on sale on cybercrime forum
Synthesis

Analysis summary

eCommerce logistics service with lowest courier rates in India

Key insights
  • Confirmed September 2025 data breach claim with 8M+ records and a PoC for sale, supply-chain risk for every connected merchant.
  • Two critical CVEs (CVE-2025-0580 / CVE-2025-0579) in Shiprocket Module on OpenCart show poor authorization controls in the publisher's integration codebase.
  • Publisher domain has clean TLS (Cloudflare), HSTS preload, and a content-security-policy header, but script-src includes unsafe-inline/unsafe-eval.
  • Rating 4.2 / 684 reviews, no Built for Shopify badge.
  • Privacy policy text was sparse on data residency, sub-processors, retention, and compliance certifications.

This section is available to signed-in users

Sign up free to unlock findings, data flow and theme code analysis for every Shopify app.

Get started
Permissions

OAuth scopes requested

These are the access permissions this app asks for during install. The sensitivity column reflects PII exposure and merchant impact.

read_orders
High

Logistics apps need order data to create shipments; combined with breach history, scope is high-risk.

write_orders
High

Fulfillment write access, required for label/tracking updates but elevates blast radius.

read_customers
High

Needed for shipping addresses, customer PII central to the recent breach claims.

read_fulfillments
Medium

Standard for 3PL integration.

write_fulfillments
High

Required to push fulfillment events back to Shopify.

read_shipping
Medium

Required to compute and display rates.

This section is available to signed-in users

Sign up free to unlock findings, data flow and theme code analysis for every Shopify app.

Get started

This section is available to signed-in users

Sign up free to unlock findings, data flow and theme code analysis for every Shopify app.

Get started
Attack surface

Network surface

Primary domain
shiprocket.in
TLS grade
A
HSTS
Enabled
CSP
Enabled

HSTS preload (max-age=63072000, includeSubDomains, preload). CSP present but script-src allows 'unsafe-inline' and 'unsafe-eval'. Behind Cloudflare; WP Engine origin.

Posture

Compliance & certifications

GDPR webhooks Fail
SOC 2 Type II Fail
ISO 27001 Fail
PCI DSS Fail

No certifications confirmed from fetched content. Shiprocket publishes an Information Security Policy PDF (2023), but no third-party certifications surfaced.

Privacy policy
Track record

Publisher reputation

Publisher
Shiprocket
Verified Shopify Partner
No
Years active
9
Other apps
4
Past incidents
  • Sep 2025, 8M+ record data breach claim with PoC for sale (FalconFeeds / Brinztech)
  • CVE-2025-0580, critical auth bypass in Shiprocket Module 3 (OpenCart)
  • CVE-2025-0579, access bypass via logic error / type confusion
LLM exposure

AI / LLM usage

No LLM usage detected. This app does not appear to forward any customer or merchant data to large-language-model providers.