All Research·MCP Security

Shopify Exploit: Manipulating Shoppers

Abi Raghuram

Abi Raghuram

Jul 14, 2025 · 10 min read

Shopify Exploit: Manipulating Shoppers

Overview

We identified a critical vulnerability in Shopify's Model Context Protocol (MCP) implementation that allows attackers to manipulate consumer purchasing decisions through malicious prompts embedded in product descriptions.

The Vulnerability

Shopify's AI shopping assistant uses MCP to access product catalog data. When a shopper asks the assistant for product recommendations, the assistant retrieves product descriptions via MCP tools — and those descriptions are included directly in the LLM's context window.

An attacker who can list products on Shopify's marketplace can embed prompt injection payloads in product descriptions. When a shopper's AI assistant retrieves that product, the injected prompt executes in the context of the shopper's session.

Attack Scenarios

**Price Manipulation**: Injected prompts could cause the AI to misrepresent prices or recommend products based on attacker-specified criteria rather than shopper preferences.

**Competitor Suppression**: Malicious sellers could inject prompts that cause the AI to avoid recommending competing products.

**False Reviews**: Injected prompts could cause the AI to fabricate or overstate positive review sentiment for a product.

**Data Harvesting**: In some configurations, injected prompts could cause the AI to share shopper browsing history or wish list data with attacker-controlled endpoints.

The MCP Security Problem

This vulnerability illustrates a fundamental security challenge with MCP: tool responses are treated as trusted data by the AI system, but those responses can contain attacker-controlled content. Without explicit separation between data and instructions, any MCP tool that retrieves external content is a potential injection vector.

Recommendations for MCP Implementers

1. Treat all MCP tool responses as untrusted data

2. Implement output filtering before including tool responses in model context

3. Use structured data formats where possible to limit free-text injection surface

4. Monitor for anomalous patterns in tool call sequences

5. Deploy a Tool Call Firewall to inspect responses before context inclusion

Back to all research