Audit report
Shiprocket ‑ Shipping in India
CriticalReach : broadby Shiprocket · Orders and shipping · Shopify App Store
eCommerce logistics service with lowest courier rates in India
Key insights
- ◆Confirmed September 2025 data breach claim with 8M+ records and a PoC for sale, supply-chain risk for every connected merchant.
- ◆Two critical CVEs (CVE-2025-0580 / CVE-2025-0579) in Shiprocket Module on OpenCart show poor authorization controls in the publisher's integration codebase.
- ◆Publisher domain has clean TLS (Cloudflare), HSTS preload, and a content-security-policy header, but script-src includes unsafe-inline/unsafe-eval.
- ◆Rating 4.2 / 684 reviews, no Built for Shopify badge.
Top findingsview all
- CriticalMajor data breach (8M+ records, Sep 2025)
- CriticalCVE-2025-0580, critical auth bypass in Shiprocket Module 3 (OpenCart)
- HighDatabase reportedly on sale on cybercrime forum
Analysis summary
eCommerce logistics service with lowest courier rates in India
- ◆Confirmed September 2025 data breach claim with 8M+ records and a PoC for sale, supply-chain risk for every connected merchant.
- ◆Two critical CVEs (CVE-2025-0580 / CVE-2025-0579) in Shiprocket Module on OpenCart show poor authorization controls in the publisher's integration codebase.
- ◆Publisher domain has clean TLS (Cloudflare), HSTS preload, and a content-security-policy header, but script-src includes unsafe-inline/unsafe-eval.
- ◆Rating 4.2 / 684 reviews, no Built for Shopify badge.
- ◆Privacy policy text was sparse on data residency, sub-processors, retention, and compliance certifications.
This section is available to signed-in users
Sign up free to unlock findings, data flow and theme code analysis for every Shopify app.
Get startedOAuth scopes requested
These are the access permissions this app asks for during install. The sensitivity column reflects PII exposure and merchant impact.
| Scope | Sensitivity | Why we flag it |
|---|---|---|
read_orders | High | Logistics apps need order data to create shipments; combined with breach history, scope is high-risk. |
write_orders | High | Fulfillment write access, required for label/tracking updates but elevates blast radius. |
read_customers | High | Needed for shipping addresses, customer PII central to the recent breach claims. |
read_fulfillments | Medium | Standard for 3PL integration. |
write_fulfillments | High | Required to push fulfillment events back to Shopify. |
read_shipping | Medium | Required to compute and display rates. |
read_ordersLogistics apps need order data to create shipments; combined with breach history, scope is high-risk.
write_ordersFulfillment write access, required for label/tracking updates but elevates blast radius.
read_customersNeeded for shipping addresses, customer PII central to the recent breach claims.
read_fulfillmentsStandard for 3PL integration.
write_fulfillmentsRequired to push fulfillment events back to Shopify.
read_shippingRequired to compute and display rates.
This section is available to signed-in users
Sign up free to unlock findings, data flow and theme code analysis for every Shopify app.
Get startedThis section is available to signed-in users
Sign up free to unlock findings, data flow and theme code analysis for every Shopify app.
Get startedNetwork surface
- Primary domain
- shiprocket.in
- TLS grade
- A
- HSTS
- Enabled
- CSP
- Enabled
HSTS preload (max-age=63072000, includeSubDomains, preload). CSP present but script-src allows 'unsafe-inline' and 'unsafe-eval'. Behind Cloudflare; WP Engine origin.
Compliance & certifications
No certifications confirmed from fetched content. Shiprocket publishes an Information Security Policy PDF (2023), but no third-party certifications surfaced.
Privacy policyPublisher reputation
- Publisher
- Shiprocket
- Verified Shopify Partner
- No
- Years active
- 9
- Other apps
- 4
- ●Sep 2025, 8M+ record data breach claim with PoC for sale (FalconFeeds / Brinztech)
- ●CVE-2025-0580, critical auth bypass in Shiprocket Module 3 (OpenCart)
- ●CVE-2025-0579, access bypass via logic error / type confusion