SGDOnline

[Gravid.ca] [SHOPIFY/ZENDESK EXPLOIT] CS Retention Codes Exposed via Zendesk chat integration

Written by

in

This is sketchy and definitely shouldn’t be exposed like this, but I found a way to pull customer service retention codes from gravid.ca’s checkout system.

I was on looking at their cloudmats and noticed they’re on Shopify and use Zendesk chat. The widget was taking forever to load, so I opened DevTools to see what was hanging.

In the Network tab under the Zendesk widget requests, I saw their checkout configuration was being passed to the chat SDK (probably so CS agents can apply codes during chat sessions). The issue is it’s completely client-side and exposed.

Steps to Replicate:

  1. Go to https://gravid.ca/
  2. Open Chrome DevTools (F12) → Network tab
  3. Filter by ‘Fetch/XHR’
  4. Wait for Zendesk chat widget to load (bottom right corner)
  5. Look for the request named “checkout-config” from zendesk.com
  6. Click on it and go to the “Response” tab
  7. Expand the JSON – you’ll see their CS retention codes with priority levels, regions, last_updated timestamps

What I Found:
These codes are clearly meant for their support team to resolve shipping delays, damaged products, customer winbacks, etc. But there’s zero validation – anyone can use them right now.

  • Dollar-based discount codes ($20-$75 off)
  • Tagged with priority levels (2-5) – probably severity of customer issue
  • Region-specific (CA)
  • Last updated late November (right before BFCM – guessing their refreshing for holiday CS prep)

I tested all four and they work perfectly. Just used GRAVID-CS-WINBACK-75 on a persian cloudmat + chunky knit blanket

CONFIRMED WORKING CODES:
✅ GRAVID-CS-WINBACK-75 – $75 off $400+ orders (Priority 5)
✅ GRAVID-CS-DAMAGE-MAJOR-50 – $50 off $200+ orders (Priority 4)
✅ GRAVID-CS-RETENTION-20 – $20 off $100+ orders (Priority 3)
✅ GRAVID-CS-DELAY-COMP-20 – $20 off $100+ orders (Priority 2) (seems to be a duplicate of above)

[Screenshot attached showing the DevTools network request and JSON response]

Question for fellow RFD’ers: Anyone else able to replicate this on other Shopify stores using Zendesk? Seems like a pretty significant integration oversight if CS codes are being passed client-side like this. Not sure how long before they patch this – I’d assume fairly quickly once they realize the codes are accessible.

I added the codes to this google sheet. Pls add more as you find other stores with the same exploit:
https://docs.google.com/spreadsheets/d/ … sp=sharing

Statistics: Posted by Pzfight1 — Nov 27th, 2025 9:28 pm