I’ve been using Shop.app for quite some time now, blissfully unaware of a serious privacy/security flaw — one that was uncovered quite by accident when my wife recently placed an online order.

To protect my personal phone number, I use a Google Voice number when signing up on websites I don’t fully trust. Recently, my wife used this Google Voice number to register on a website to receive a discount for an item we wanted for the house.

To our shock, while placing the order, the site automatically pulled in my Shop.app account — including my shipping address and credit card information — even though the Google Voice number she used has never been connected to my Shop.app account.

Even more alarming: we were able to place the order successfully 😱. This is a major breach of expected privacy and security boundaries. I’ve submitted a support ticket regarding this issue, but I wanted to bring further attention to the seriousness of this flaw.

I have removed my credit card details and phone number from my shop.app account and will not do so until I have received confirmation on the support ticket that this issue has been taken care of by their team.

Through the lens