Trying to create an account for this website and it errored with a debug message that shows the mysql database name, username, and password. That seems bad.

@fuzzbomb What site is it? We should see if we can reproduce the results. For science.

Oh...it also exposes the usernames, passwords, and tokens for their SMTP relay, Shopify, and Sendspace accounts. Yikes. I emailed them, let's see if they respond.

@cR0w https://drumart.com

@fuzzbomb uh what? like a SQL injection?

@adisonverlice It looks like just a PHP error? Seems to use a framework called Symfony.

@fuzzbomb Oh my. It also includes various keys. Yikes.

@cR0w Like the more you read the worse it gets.

@fuzzbomb Yeah. I just emailed the email address in the error messages to give them a heads-up. I wonder if it's a specific misconfiguration or if there is a larger issue with Shopify or a specific plugin right now.

@cR0w Yeah big yikes if it's a Shopify issue.

@fuzzbomb No kidding. I haven't used Shopify but I thought the idea was that it was basically point and click for non-technical shop owners, meaning that the technical details were handled by Shopify. If so, it would seem like there would be a more widespread issue, even if it's only in a specific theme or plugin or whatever. That said, I don't have the time to go around testing more sites so I'll just have to wonder. 😆

@cR0w I just happen to know someone who recently set up a local business and uses the point-and-click no knowledge needed Shopify tools and it doesn't look like this at all.
My guess is this site manually integrated Shopify into their own site with whatever code Shopify provides for that.

@fuzzbomb That would be good for the scale of the issue, but bummer for that shop owner that needs to get it sorted.