As developers, we all know the importance of securing APIs, especially when dealing with sensitive data. But sometimes, despite the best intentions, critical mistakes are made. One such mistake is failing to secure your API endpoints, which can leave your platform exposed to potential attacks. Unfortunately, this is exactly what happened with the app Every Possible Discount, built by Seventh Triangle Consulting.
This wasn’t just a minor oversight—this was a critical security lapse that exposed sensitive user data to the world, and it’s a glaring example of how security fundamentals can be completely overlooked. The implications of this mistake go far beyond simple negligence—this exposed endpoint could have been easily exploited by anyone who knew where to look. It’s alarming how such a massive oversight could happen, especially in 2025 when securing APIs is a well-established practice.
The Mistake: Exposing Sensitive Data to Anyone Who Knows Where to Look
During an assessment, it was discovered that Every Possible Discount had an API endpoint that was publicly exposed with no authentication, no authorization checks, and no rate limiting. This left critical user data—including access tokens and user credentials—freely available to anyone who stumbled across the endpoint.
This wasn’t some obscure, difficult-to-find vulnerability either. Anyone with the right tools and knowledge could have easily exploited it. What’s even more disturbing is the fact that this exposure could have lasted for months. When basic security measures are omitted, you're essentially giving attackers the keys to your user data, without any barriers.
The Unseen Problem: Cached Data Can Still Expose Sensitive Information
Now, you might be thinking, “Okay, so they’ve probably fixed the endpoint by now, right?” Maybe they did, but that’s where the problem gets worse. It’s not just about changing the base URL or adding authentication—cached data from web crawlers, proxies, and search engines can still expose the old endpoint. Even if changes were made to secure the API, the data is still out there, sitting in caches across the internet.
Once that data is indexed, it can be accessed long after the issue was “fixed.” Attackers can use tools like Massy or Alpha to trace back to the unprotected version of the endpoint, allowing them to access up-to-date data and bypass the new security measures that might have been put in place. This is a critical oversight that many developers miss, but it’s something that should have been considered from the start.
In the case of Every Possible Discount, it’s not just about a quick fix like changing URLs or slapping on basic authentication. Even with these changes, the old cached data is still out there, and it’s an easy target for attackers. The new security measures might look good on paper, but the old data is still very much alive—and still very accessible.
Stone-Age Development Practices in 2025: Why It’s Alarming
What’s most frustrating about this situation is that this feels like a Stone Age approach to development. In 2025, the idea that an API endpoint could be left completely exposed without any kind of authentication or rate limiting is almost unthinkable. It’s difficult to believe that such a major oversight could be made, especially when sensitive customer data is at risk.
It’s even more alarming when you consider that one of the stores compromised due to this app is actually a development partner of ours. Seeing such a critical failure in security practices hit so close to home is frustrating, to say the least. This wasn’t just a small issue—it’s a massive, avoidable blunder that leaves businesses exposed to huge security risks. It's a reminder that even the most basic security practices need to be followed, no matter the size of the app or the business behind it.
Shopify Takes Action: App Removed from the App Store
The severity of this security risk wasn’t lost on Shopify either. Recognizing the danger it posed, Shopify removed the app from the Shopify App Store as a preventive measure. This decision highlights just how serious the vulnerability was, and it’s a wake-up call for developers everywhere to pay attention to the security of their APIs.
What Can Developers Learn from This?
So, what can we take away from this? There are several key lessons for developers to learn from the Every Possible Discount situation:
Don’t Skip Authentication and Authorization: Make sure every endpoint is protected with proper authentication and authorization mechanisms. No endpoint should be left open to the public without secure access controls.
Understand the Impact of Cached Data: Cached data is still data—even if you make changes to your API, the old data can still be accessible through search engines, crawlers, and proxies. Don’t rely solely on changes to URLs or authentication as your fix. Address cached data, too.
Don’t Settle for Half Measures: Simply adding basic authentication or changing a URL is not enough. Take a deeper look at the architecture and security posture of your API. Implement thorough measures that truly secure your platform.
Perform Regular Security Audits: Proactively test your system for vulnerabilities. Don’t wait for a breach to happen before you start looking for weaknesses.
Conclusion: Security Must Be a Priority, Not an Afterthought
The situation with Every Possible Discount serves as a glaring reminder of just how easily security can be overlooked. A simple mistake, like leaving an API exposed without proper security controls, can lead to devastating consequences—not just for users, but for the company behind the app.
We may never know the exact steps taken by Seventh Triangle Consulting to fix the issue, but one thing is clear: security should never be an afterthought. In today’s digital landscape, protecting sensitive data is not optional—it’s a necessity. Every Possible Discount could have avoided this disaster with proper security practices. This is a cautionary tale for developers everywhere: don’t make the same mistake. Build your systems securely from the start, and make sure you’re testing, auditing, and addressing every potential vulnerability before it becomes a problem.
In the end, don’t assume that small fixes will solve big problems. If there’s one thing that should be clear from this incident, it’s that security requires constant attention, and anything less leaves your users—and your reputation—at risk.
Top comments (1)
It’s hard to believe that something as basic as securing an API endpoint was missed, especially with all the security best practices available today. It's frustrating—how could a developer overlook something so fundamental? Especially when it involves passwords... Did he have a little grudge with the company? It’s like putting your password in a text file and calling it 'secure_notes.txt'!