What can be worse than a leaky plug-in? Perhaps many leaky plug-ins supplied by one supplier, installed in several places and responsible for handling of financial transactions.
Recently, we have received a message from an unnamed Reader, who sent us a link to a rather lengthy blog post written in strong language, containing – as the author said – a cursory review of the plug-ins developed by Przelewy24.pl for many different trading platforms. The post has been removed now but the list does not look good – especially for the sites which have installed vulnerable plug-ins.
Shop for free and delete a database?
Przelewy24, an operator handling online payments, offers free tools supporting the integration of shops with its payment mechanisms. The operator’s website has a tab titled “Files to download” containing, among other things, a section called “Ready-to-use modules”. You will find there plug-ins and modules supporting major trading platforms, such as Magento 1.x and 2.x, PrestaShop versions 1.3-1.7, WooCommerce 2.x, VirtueMart 2 and 3, OsCommerce, wp-e-Commerce or OpenCart. They have been developed by Przelewy24 and made available for free to whoever is interested.
The author of the post claims that he had found critical errors in many of the plug-ins he had reviewed, allowing a malevolent user to shop for free and, for example, to delete the whole payment database of a shop using a vulnerable plug-in. The errors allegedly identified by the author of the discovery include in particular:
• SQLi in several different modules (which makes it possible to delete data and to change the order status),
• lack of appropriate parameter control in one of the modules (which makes it possible to define the order status),
• disregarding of the result of data validation by another module (a lot of code performs data validation, the result of which is then ignored),
• possibility to falsify the order confirmation in another module (the checksum can be calculated),
• the archive of a few modules contains a .git folder, where one can find the history of commits and developers’ data,
• the archive of another module contains an .idea folder, where one can find the history of commits, including for example “Withdrawal of changes mistakenly added to the master”.
While leaving the data such as the .git folder by oversight is a small mistake, the SQLi in several modules means a serious error on the part of the creators. We were able to confirm some of the errors and Przelewy24 indirectly admitted that the problem existed (see below).
What do Przelewy24 say to that?
In did not take us even twenty minutes from reading the list of errors to ask a representative of Przelewy24 to contact us and after another quarter or so, we managed to get through to the relevant person. We sent a few questions and received the following answers from a lawyer representing Przelewy24:
1. Did the author of the discoveries contact you before?
The author refers to an alleged contact with our CTO, but we did not record such a contact attempt. Providing the code developer with information about detected vulnerabilities is a normal practice in such situations; in this case such information was first disclosed to you.
2. Are his allegations concerning the errors in the plug-ins for multiple platforms true?
Our review shows that there have been certain small-scale gaps. The code of the main settlement system is completely independent of the plug-ins’ code and no vulnerabilities have been identified in it. Our team has already implemented necessary changes in the code and new versions of the plug-ins, tested by independent auditors, are gradually being released to our trading partners.
3. Does the use of the code from the listed plug-ins by the sellers pose a security threat to them?
The issue concerned only some plug-ins, that is a limited group – several percent – of our trading partners. Nevertheless, all the partners using those products were immediately informed by us by e-mail and by telephone about the need to install updates and to disable or uninstall the previous version. The code of the plug-ins is independent of the code of Przelewy24 and so there is no threat to the operation of the transactional system and direct integrations.
4. What steps are you going to take in connection with this publication?
We have already taken the key steps – conducted a security audit, prepared the necessary updates and informed the trading partners using the products requiring updates. Our team immediately started to rectify the plug-ins’ code. The new plug-ins were audited by outsourced entities. After the audit, the plug-ins are made available to the shops on an on-going basis.
5. What are the businesses which used the erroneous code in their shops supposed to do?
We recommend this: until you are notified about a new version of the plug-ins being available, please disable or uninstall the PrestaShop plug-in and remove the others from your shop. All our partners using the plug-ins requiring updating were informed by us immediately by telephone and e-mail, we also published information about that on our website. The trading partners were then advised by e-mail about the availability of a new plug-in.
Is it serious and what is it all about?
The whole issue has several aspects which are worth addressing. Let’s start with the fact that the errors do not concern the key functions of Przelewy24, but only the plug-ins installed by the sellers. The Przelewy24 platform itself is thus secure in the light of the reports, whereas the shop owners using the plug-ins published by Przelewy24 may have a problem. According to the company, they represent a mere few per cent of its clients and the problem, as the company maintains, is a small-scale one. What is more, the company has managed to warn most of the clients about the problem.
However, the errors in the code of the plug-ins are, in fact, reprehensible. We are not talking here about a code handling a Noughts and Crosses tournament, but about a code handling payments for online shopping, which is supposed to meet much stricter security standards. A glance at the code of the plug-ins will suffice to conclude that the authors did not follow the best practice of secure programming. It is a serious lapse on the part of Przelewy24 which had the trust of a group of sellers who implemented the plug-ins without any extra quality control.
The intentions of our informer are not clear to us. While the errors pointed by him do actually exist, his behaviour is doubtful. Firstly, he claimed in his (already deleted) post that he had informed Przelewy24 about the problem. When asked to present a proof, he was unable to but instead made up ridiculous excuses. Secondly, the blog post in which he detailed all the problems suddenly disappeared and the author went completely silent even though he had quickly answered e-mails before. We do not know if the disappearance of the post was the result of his decision or an external interference but it looks strange.
Thirdly, we don’t know his motives – if he simply wanted to point out the errors, he could have contacted the plug-in authors directly. Fourthly, the date of reporting of the problems was the least advantageous for Przelewy24 of all. Fifthly, it was the first time we have seen this category of errors published on a publicly available blog – we normally receive them in PGP. Lastly, the author of the report said he was going to send a link to other portals the following Sunday. We have deemed all this behaviour as unusual in this kind of situations. For this reason, we decided not to publish the technical details of the discovered errors.
My shop supports Przelewy24, what shall I do?
Chances are you don’t have to do anything. The company itself has said that only a few per cent of users had applied its plug-ins. If you are one of them, you will probably have a message in your mailbox or several missed calls from Przelewy24 on your phone. Disable or uninstall the plug-ins and wait for the next version (or install the new one because the company has managed to correct some).
How we evaluate the reaction of Przelewy24
Although it all started rather badly because the errors were below the standard required of a company handling money transfers, things then improved a lot. We managed to make the first contact within a quarter of an hour or so, and after another quarter we were convinced that the company was dealing with the problem. Response time – excellent. Also, how the problem was resolved looks rather good – they got down to fixing the code immediately, despite it being the weekend, and to informing their clients as well. This is praiseworthy. You can see that they can behave correctly in a difficult situation. One glitch was the communication with the lawyer representing the company (we usually talk to a press officer or a board member), especially the allusion that by publishing information about the errors, we may also be liable for potential losses. This is an ill-judged conclusion since the information about the critical update of the plug-ins had already been published on Przelewy24’s website and other industry and specialised websites, and even on Wykop.