Hi everybody
There seems to be a security issue with Cowoa. I just tested with ZC 1.5.5 and Cowoa 2.7 (latest in Github):
1. Person A makes an order from Zen Cart using Cowoa checkout using email
[email protected]
2. Person B user makes a new account to Zen Cart using the same email address
[email protected]
3. Person B now sees order that Person A made in step 1. which is the security issue I am talking about
This is due to registering doesn't use email confirmation by default... It isn't normally a issue if someone registers with a faulty email they have no access to, not really a major issue. However when using Cowoa, this reveals sensitive data about users and their order history.
I am currently trying to figure how to fix this problem in my customers site, and basically I'm rather unsure how to fix it. I suppose email-confirmation must be required when cowoa-account exists before upgrading it to a normal account. Or mark orders to cowoa-orders, and not display them to a non-cowoa users.
Bookmarks