[Locked] NOTICE To All EasyStore Users: Guest Customer SECURITY HOLE
Stuart Clark
JoomShaper introduced a new "fix" or "feature" in EasyStore 1.2.1 which was intended to allow guest customers to view their order from the order confirmation page. Unfortunatley their implementation was very poor in a couple of ways:
-
The link displayed on the order confirmation page links to /shop/my-orders (presuming EasyStore is installed under the /shop URL) - however, this URL re-directs to the Joomla login page upon being clicked - making it impossible for guests to view their order.
-
However, if you manually edit the URL to be /shop/my-orders/order-ID - e.g. /shop/my-orders/24 then as a GUEST you can view the order. Unfortunately you can ALSO view ANY OTHER guest order by simply changing the order-ID value at the end of the URL.
THIS IS A SECURITY ISSUE IN THAT IT EXPOSES PRIVATE PERSONALLY IDENTIFIABLE INFORMATION TO ANYONE ON THE INTERNET
Stuart Clark
Accepted AnswerExamples of the SECURITY HOLE on my website (all fake information, luckily)
https://dilligaf.shop/shop/my-orders/36
Stuart Clark
Accepted AnswerThis needs an IMMEDIATE resolution from JoomShaper!
(you've already had 24 hours and haven't replied sensibly)
Toufiq
Accepted AnswerHi there,
You are absolutely right. I will inform our development team to generate random IDs to prevent orders from being found by altering the guest user's information.
Best regards,
Toufiqur Rahman (Team Lead, Support)
Stuart Clark
Accepted AnswerI reported this to @Ofi Khan yesterday - he claimed he'd told the development team.
See: https://www.joomshaper.com/forum/question/34173
YET it seems NOTHING has been done, nor any actions taken.
IT SEEMS JOOMSHAPER DO NOT CARE!!!
Stuart Clark
Accepted AnswerI just confirmed that, developer team is working about this issue and we have plan to release it next week. Thanks
Next week?
This is SIMPLY NOT GOOD ENOUGH! This is A SECURITY HOLE and NEEDS TO BE FIXED IMMEDIATELY!
Stuart Clark
Accepted AnswerI'm really concerned that you, nor anyone at JoomShaper, appears to understand the issue and risk here!
JOOMSHAPER introduced a SECURITY HOLE to their product, which some of their customers are attempting to use on LIVE websites. By introducing that security hole, you have EXPOSED POTENTIALLY THOUSANDS OR MILLIONS OF CUSTOMERS PERSONAL DATA.
The people using EasyStore will be affected by this, and they could be sued by their customers. It is very right and legal that those people SUE JOOMSHAPER for any damages caused by JOOMSHAPER'S POOR CODING
... that's the legal risk bit out of the way.
It is also VERY concerning that JOOMSHAPER HAVEN'T EVEN APPOLOGISED OR SUGGESTED A WORKAROUND TO PREVENT THE SECURITY HOLE BEING EXPLOITED whilst they work on a fix!
GET REAL WITH YOUR RESPONSIBILITIES. THIS IS NOT A GAME
Stuart Clark
Accepted AnswerTHIS SECURITY HOLE HAS BEEN IN THE WILD AND EXPLOITABLE FOR OVER 5 DAYS NOW - WHERE IS THE FIX???
Stuart Clark
Accepted AnswerIT IS STILL BROKEN
Toufiq
Accepted AnswerI would request you to watch the full video.
https://drive.google.com/file/d/1Pjbi5OXU6gD3AioltAeqvuXwtWNH3wa6/view
Stuart Clark
Accepted AnswerHow about - you test it on if my site - linked above - and tell me if you find anything that doesn't work??
That will show very quickly how thoroughly you test!
Stuart Clark
Accepted AnswerTEST IT ON MY SITE!!!
Ultimately it's only on CUSTOMER SITES that this matters!
Stuart Clark
Accepted AnswerWHY? ERROR MESSAGE?
More info is required if you expect whatever the issue is to be fixed!
Stuart Clark
Accepted AnswerWHERE IS THE DOCUMENTATION???
A VIDEO IS NOT DOCUMENTATION!
HOW ARE OTHER CUSTOMERS MEANT TO KNOW THIS???
Stuart Clark
Accepted Answer@Toufiq
I've tested THOROUGHLY on my site - which is something YOU HAVEN'T DONE!
The solution works ONLY if you use a custom payment option!
If you use Stripe payment plugin, this solution DOES NOT WORK
NOW - START PROVIDING PROPER SUPPORT AND TESTING
Toufiq
Accepted AnswerRead this last reply of this forum post.
https://www.joomshaper.com/forum/question/34218#qa-answer-164135
Stuart Clark
Accepted AnswerThat answer makes ZERO sense!
Read my post above - your solution to guest order viewing DOES NOT WORK FOR PAYMENT MODULES SUCH AS STRIPE
(I didn't mention PayPal)
Toufiq
Accepted AnswerProvide me your site login credential. Cause, I have checked another user post and it works fine.
Stuart Clark
Accepted AnswerYou don't need logon credentials - this is ordering as A GUEST
Go to my site - https://dilligaf.shop - AS A GUEST and order a product using Stripe payment option (I will unpublish all others)
Enter FAKE / SANDBOX credit card info, such as 4242 4242 4242 4242 -- 12/24 -- 123 and complete the transaction - THEN TELL ME IT WORKS... IT DOESN'T!!!
THIS IS CALLED TESTING
Stuart Clark
Accepted Answer@Toufiq
I can see you've made a test order on my site - well done!
The link doesn't work, does it???
NOW - actually start helping - PLEASE!
Toufiq
Accepted AnswerDownload and install this plugin. Then let me know.
Toufiq
Accepted AnswerI'm afraid your attitude towards me has been APPALLING!
I assure you that I did not intend to be threatening in any way. I have been doing my best to assist you.
If you need refund then i can manage refund (Provide me deatils of your account for refund). But, there is no way to provide life time license.
Read our refund policy. https://www.joomshaper.com/refund-policy
Stuart Clark
Accepted AnswerI've read your refund policy - and JoomShaper are in breach of it!
The policy is based upon products which are FIT FOR PURPOSE. EasyStore is currently NOT FIT FOR PURPOSE!
For the amount of USER SUPPORT that I have had to provide to you @Toufiq and to JoomShaper staff - you either need to PAY me, or provide a FREE subscription!
Stuart Clark
Accepted AnswerYES - This now works! I presume you'll need to perform a similar update on all other payment plugins
IT IS VERY DISAPPOINTING THAT YET AGAIN I AM HAVING TO BETA TEST FOR YOU AS YOU CAN'T BE BOTHERED TO DO IT PROPERLY DURING DEVELOPMENT!
I EXPECT AN APOLOGY
Toufiq
Accepted AnswerI apologize for any inconvenience. We are currently testing other plugins and plan to release them later today.
Stuart Clark
Accepted AnswerThe apology is for calling me a liar and claiming I didn't know how to test, when in fact the issue was that you and your staff had not tested!
This is another example of very sloppy coding and complete disregard for testing your work before releasing it!
JoomShaper should not be relying on customers to FIX their products for them!
Paul Frankowski
Accepted AnswerSorry, but after all I don't see a reason for bad emotions. In every software there were and are mistakes, also security bugs. Even if we talk about huge products like Windows with huge Developer & Testing Teams. Blue screen....
We didn't ask you to fix the code, but to check on your side and share feedback, as extra pair of eyes.
We are sorry for the problem, and promise to be more carreful next time.
There is an adage that "he makes no mistakes who does nothing", a small dysgreed - he contributes nothing. Thank you for any even critical comment.
BTW You can also share your projects/guides made for Joomla Community. It would be nice to see something.
Have a nice day!
Stuart Clark
Accepted Answer@Paul Frankowski
I originally pointed out that guest customers had no way of viewing their orders over 3 weeks ago!. Having initially been ignored by JoomShaper staff, and having to prove time and time again what the issue was; eventually JoomShaper undertook to release a "fix" for the issue.
That fix was released a week ago and introduced a SERIOUS SECURITY HOLE to EasyStore. It was obvious that NO testing had taken place internally by JoomShaper, otherwise the security hole would have been spotted before release!
When I informed JoomShaper of that security hole, I was again IGNORED until I posted this thread, making the hole public. We were then told it would take almost a WEEK to release a fix for the security hole.
Upon release, we found that the FIX hadn't been sufficiently tested by JoomShaper and DID NOT WORK CORRECTLY. Once again I was forced to spoon feed JoomShaper staff through the testing procedures until they admitted to another issue!
If you genuinly think this is good customer service and good coding, then I am afraid you are very much mistaken! JoomShaper is a commercial company charging users significant sums to access their products. However, THOSE PRODUCTS ARE NOT SUITABLE FOR USE IN PRODUCTION WEBSITES BECAUSE THEY ARE POORLY CODED AND NOT TESTED. You can follow the ongoing discussion about EasyStore's MANY failures here: https://www.joomshaper.com/forum/question/33814
(but do NOT dare to tell me that JoomShaper are behaving in a professional manner)
Paul Frankowski
Accepted AnswerIn general, at least for me is the problem is not you did, but How you did it! For security problems "Email" should be used.
If you have private site with at least one extension, you would also prefer to get a e-mail, not Screaming Forum Post, right?
Stuart Clark
Accepted AnswerIF I hadn't been ignored when I first reported it, then maybe I would have been willing to stick to emails.
However, the complete LACK of FEEDBACK or ENGAGEMENT from JoomShaper staff has meant that the ONLY way to get acknoledgement is to make a public posting!
Now - rather than continuing to attack one of your customers, why not work with that customer to FIX the multitude of remaining bugs in EasyStore???
(I won't even bother to mention security bounty payments which most companies adhere to)
Paul Frankowski
Accepted AnswerUnfortunately, but this conversation leads to nothing. I close it.
For Refund Topic >> https://www.joomshaper.com/contact