RESOLVED: AddShoppers social login critical vulnerability to give unauthorized access to user accounts?
If you happen to be one of the ‘1,000+ brands worldwide’ using AddShoppers’ social login plugin, you may want to keep reading.
Mavitech development team that boasts over 5 years of hands-on experience with Magento have discovered earlier today what looks like an exploit that allows anyone having a user’s email address to log into their account on any of the websites with the plugin installed. As their main page states, over 1,000 brands are currently using it including major online retailers like Hanes, NCR, O’Neill Clothing and Everlast. The exploit was discovered while installing and configuring the latest version of AddShoppers Magento 2 extension in a local development environment and required a very basic understanding of coding principles. As a result of using the exploit, the team were able to log into a customer’s account using only their email address, thus getting unlimited access to sensitive information like customer addresses, phone numbers, orders placed and items purchased, billing agreements, reviews – or maybe even credit card data with the not-so-PCI-compliant websites. What’s even worse, in the case with online stores selling virtual/downloadable products that would mean gaining access to paid content which could then be freely downloaded – or basically stolen.
The team’s first guess was that the bug was only a consequence of developing for the newly released platform so they went ahead and tried the same exploit in an isolated 1.9.x environment – and it worked like a charm. Now there’s a chance that the freely distributed plugin allows social login both to your customers as well as those who happen to know their email address.
Max Krukovsky, CEO @ Mavitech: “Earlier today I had our senior developer contact me with what first sounded really bizarre, having been into Magento custom development, online promotion and digital marketing for years, we certainly were no stranger to the AddShoppers brand. He insisted that I take a look at something which he claimed was a severe vulnerability within the social login extension by AddShoppers freely distributed on github under their official account allowing anyone calling two specific URLs to log into any customer account provided that they had their email address. The peculiar detail about the exploit is that there’s basically no way one can protect their account as changing the password will not work – the exploit does not need the password to work. I asked for proof and the results are so far unbelievable: we were able to log into accounts on live websites running the plugin. We challenged ourselves to test one of the websites showcased on www.addshoppers.com by creating a new account and then trying to access it using the exploit – and, well, it worked. We have urgently contacted all of our clients running the plugin and disabled it. What’s a little frustrating is the fact that a possible patch should not be anything complicated. We will be running more tests over the weekend to confirm that the exploit can be used in all of the environments where the plugin is installed regardless of Magento version, social networks used and other environment details – for now we cannot confirm that 100% of stores are affected but if your store is running one, you’d probably be better off disabling social login for the time being. We are only left to hope that no one has been using the exploit in the background all this time. We will also be happy to cooperate with AddShoppers to provide explicit details on the exploit to allow a quicker turnaround for the patch or provide them with one”.
For additional comments please feel free to reach out to Max at max.krukovsky @ mavitech.com or via LinkedIn. Please make sure you get this message across to your clients and colleagues.
UPDATED 9/3, 1PM EDT: AddShoppers has been extremely responsive, replying immediately and delivering an update within hours that we’re currently evaluating. More soon.
UPDATED 9/5, 8AM EDT: The solution provided by AddShoppers team has proved to take complete care of the exploit removing any ability to get into customers accounts using the previously discovered vulnerability. AddShoppers did a post on this including the download links for both 1.9 and 2.1: http://www.addshoppers.com/blog/security-update-for-magento-1x-and-2x-users.