Last week a security researcher named weezerOSINT did something unremarkable. He opened ClickUp's homepage, clicked View Source, and read the JavaScript bundle that loads before you've even logged in. Sitting in plain text was a Split.io SDK key. One unauthenticated GET request later, he was holding 4.5MB of ClickUp's internal feature-flag configuration, customer email addresses, and rollout-cohort data.
ClickUp is SOC 2 Type II certified. ISO 27001, ISO 27017, ISO 27018, ISO 42001, and PCI DSS certified. Used by 85% of the Fortune 500. Valued at $4 billion. The fix takes about 90 seconds. The leak had been live for at least 465 days.
If you're running a Shopify store, your reaction probably went: bad for them, but I don't sell project management software. The reaction we want you to have is different. Because the same class of mistake almost certainly exists in at least one tool you've installed this year, and the certifications you trust to catch it don't.
The pattern, in plain terms
Modern SaaS apps split their behaviour with feature-flag services like Split.io, LaunchDarkly, Optimizely, and Statsig. The frontend code needs to know which features to show which user. The cleanest way for a developer to wire that up is to pull the SDK key out of an environment variable on the server, embed it into the JavaScript bundle at build time, and ship it. The bundle is then served from a CDN, cached for months, and reads to that key on every page load.
That works fine if the SDK key is a "client-side" key with restricted permissions. It is a disaster if the developer reached for the wrong key — the "server-side" or "admin" key — because that key, in the hands of any visitor with browser dev tools, can read the entire feature-flag dataset for every customer the platform has ever onboarded.
This is not exotic. This is one tab open and twenty seconds of attention. The detection cost is zero. The exploitation cost is one HTTP request.
Why none of the certifications caught it
SOC 2 Type II audits look at controls and processes: do you have a code review policy, do you rotate credentials, do you maintain an incident response runbook. They do not pull every customer's production JS bundle and grep it for tokens. ISO 27001 is similar — it certifies that you have an information security management system, not that the system is working today on the bundle that just shipped at 14:48.
The honest summary is that the certifications you and your customers rely on are designed to detect organisational drift, not technical mistakes. A SOC 2 audit would not have flagged ClickUp's SDK token any more than it would have flagged a misconfigured S3 bucket. The auditors don't read your main.bundle.js. The certification logo on the marketing page tells you the company has documented processes. It tells you nothing about whether your data is exposed in a file you can View Source on right now.
What this means for a Shopify operator
You probably have between fifteen and thirty third-party scripts in your Shopify theme. Some are explicit installs. Some are loaded by other apps. Each one ships with a JavaScript bundle that runs in your customers' browsers, on your domain. If any of those bundles contains a hardcoded credential — an API key, an SDK token, an internal endpoint — it is readable by anyone who visits your site, including everyone enumerating Shopify stores at scale right now.
A short, uncomfortable list of what we've actually seen on Shopify storefronts during audits this year:
- A loyalty app shipping a Mixpanel project token with full write access, allowing anyone to inject events into the merchant's analytics and corrupt their conversion data.
- A subscription app with a hardcoded Stripe publishable key — fine — and a separate hardcoded base URL for an internal admin API, less fine.
- A reviews widget loading a Klaviyo public key plus an internal feature-flag endpoint that returned the merchant's full A/B test cohort data unauthenticated.
- A custom theme with a developer's personal AWS S3 read-only key still committed to the bundle, exposing two years of cached product imagery and one accidental folder of payroll PDFs.
None of those merchants were doing anything wrong. None of them were notified by their app vendor. Several of those vendors are SOC 2 certified.
What to actually do
You can run this audit on your own store in twenty minutes. You don't need to be a security person. You need a browser, View Source, and a search.
Open your store in an incognito window, log in if needed, and let the page settle. Open dev tools, go to the Sources tab, and find the largest JavaScript bundles being loaded — they will usually be from your theme, your top three apps, and any analytics scripts. For each, copy the bundle text into a search and look for these strings: sk_live, secret, private_key, admin, SECRET, PRIVATE, internal, SDK_KEY, and any 32-to-64 character base64-looking strings paired with one of the words above. You're looking for tokens that should not be in client-side code.
If you find one, do not publish it. Email the vendor and the Shopify Partner contact for that app, give them the file path and a one-line proof, and ask them to rotate the credential within 48 hours. If they don't respond, escalate to Shopify's abuse channel; they take credential leaks seriously and will pull the listing if needed.
While you're there, also note any third-party scripts loading from a domain you don't recognise, or any that fail with 4xx responses in the network tab. Failing scripts can leak request URLs and are a separate revenue problem we've covered in detail before.
The deeper point
The story everyone is going to take from the ClickUp leak is "another SaaS company shipped a token in plain text." The story we'd actually like merchants to take is one level up: a $4 billion company with every relevant compliance badge had this live for over a year, and the system that was supposed to catch it didn't. Not because the auditors were lazy. Because that's not what compliance audits are for.
If your trust model for the SaaS in your stack is "they have SOC 2," you have outsourced your security to a process that doesn't read the file your customers are reading. The only reliable check is the one anyone can run: open the bundle, look for the credential, ask the vendor to rotate it. We do this for clients quarterly. The first run is rarely clean.
Bloodhound monitors third-party script changes on Shopify themes and flags new credentials, new failing requests, and new domains in the bundle within minutes of an app update. If you'd like a free first audit on your store, drop us your domain.