Jump to content

mackhax0r

Members
  • Posts

    4
  • Joined

  • Last visited

Profile Information

  • First Name
    Thomas
  • Last Name
    Mack

mackhax0r's Achievements

Newbie

Newbie (1/14)

3

Reputation

  1. This is the same mentality that allowed this to happen: https://arstechnica.com/security/2017/03/firefox-gets-complaint-for-labeling-unencrypted-login-page-insecure/ and this https://www.washingtonpost.com/news/the-intersect/wp/2017/04/09/someone-hacked-every-tornado-siren-in-dallas-it-was-loud/ When security isn't taken seriously, someone will find a way to exploit it. Do you realize 90% of users use the same username and password in everything - including their bank accounts? It is YOUR job to keep YOUR customers information secure. I don't want my name or address getting out there!! Yes, it's a security issue. Prestashop should be ashamed of themselves.
  2. The server logs and the prestashop database have nothing related together. You can view emails on your mail server without issue. And the emails would be saved in the "Sent emails" folder.. The proper way to design a forgotten password method is pretty simple. Email a special link that goes to their security questions, and expires after 1 hour. You don't ever send an email nor do you send a special link directly to a change password form. This isn't an issue of whether or not the passwords in the database are encrypted. The problem here is the fact they are sending a unsecure email to customers with their login credentials. This is unsafe, unprofessional, and to be honest lazy programming. Not only do they display a password, but they kindly make a pretty graphic with your CREDIT CARD NUMBER on it. I discussed this issue outside of this forum post and decided to go with a different product. The lack of security in Prestashop is astonishing.
  3. Right, I can impersonate any user on my mail server and see sent server logs - this is what I meant, it isn't visible in the mail log in the backend..
  4. I really hope this is a joke. It's not, though. When a new user signs up for Prestashop, they receive an email with their username and password. After poking around in the translation templates', I found that throughout all the templates that this is very common. My question is this: ARE YOU FREAKING SERIOUS? This design, is a major security flaw in Prestashop. The developers can't seriously think this was ever a good idea. You can abide by every single security standard in the world, but if you send it via email which is insecure because it is not encrypted in any way, you defeat the purpose. It might be easier to just display all the passwords via plain text. Seriously. Let's see. http://security.stackexchange.com/questions/94102/is-it-good-practice-to-send-passwords-in-separate-emails-and-why http://www.thebitmill.com/articles/password_email.html https://nakedsecurity.sophos.com/2015/05/19/uber-in-hot-water-again-over-plaintext-passwords-in-emails/ Seriously, I hope this is some cruel joke. I've removed every reference to the {PASSWD} flag in the translation files, but this is absolutely frustrating and unacceptable. Things we could do: As a system administrator, I can view the password in the sent logs If someone leaves their computer unlocked, their password is visible If the user sends to the wrong email, the person gets to see their password (note: I signed up for gmail with my first last name at gmail.com, and I get a LOT of people using my email by mistake, so this isn't uncommon) Literally the worst design ever I'm about to deploy this product for multiple customers, and after seeing this I'm at a standstill because this is unacceptable. I'm also not modifying code to make it secure the way it is supposed to be. Do the developers have any interest in fixing this issue? I would assume not.
×
×
  • Create New...

Important Information

Cookies ensure the smooth running of our services. Using these, you accept the use of cookies. Learn More