Email accounts not hashing password

Posted: August 24, 2016 at 10:10 AM Quote #174043
in the [EmailAccount] table, the passwords for the email accounts is not being hashed, its a very big vulnerability, since no one besides the owner of the account should have access to any password whatsoever, and now anyone with access to the db can lookup the password, which is extremely vulnerable issue.
This post/answer is useful
5
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
Posted: August 25, 2016 at 1:42 AM Quote #174062
Thanks a lot! Agree. They should encrypted (not hashed). Please find this work item here
This post/answer is useful
0
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
Interested in the dedicated Premium support services provided by core developers? Please visit http://www.nopcommerce.com/supportservices.aspx

Regards,
Andrei Mazulnitsyn
Posted: May 19, 2017 at 10:16 AM Quote #187986
Andrei i see that 3.90 is still having this security vulnerability, and i see on git that this work item is on hold, any reason why?https://github.com/nopSolutions/nopCommerce/issues/345
This post/answer is useful
0
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
Posted: May 20, 2017 at 4:43 AM Quote #188029
Hi,

I wouldn't say that it's a security vulnerability. It's a recommendation to increase security because none of standard users have direct access to database. But of course, we'll start working on it once more important tasks are finished
This post/answer is useful
0
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
Interested in the dedicated Premium support services provided by core developers? Please visit http://www.nopcommerce.com/supportservices.aspx

Regards,
Andrei Mazulnitsyn
Premium support services
  • Dedicated premium support services provided by core developers are intended for persons who run mission critical websites, work on projects with tight deadlines, or want to get dedicated support.
Professional services
  • Want to open a new store? Want to take your store to the next level? Need a custom extension? We can customize nopCommerce to fit your store perfectly. Request a quote to get started.
eCommerce CONFERENCE 2017
Learn more