Email accounts not hashing password

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.
7 years ago
in the [EmailAccount] table, the passwords for the email accounts is not being hashed, its a very big vulnerability, since no one besides the owner of the account should have access to any password whatsoever, and now anyone with access to the db can lookup the password, which is extremely vulnerable issue.
5
7 years ago
Thanks a lot! Agree. They should encrypted (not hashed). Please find this work item here
Interested in the dedicated Premium support services provided by core developers? Please visit https://www.nopcommerce.com/nopcommerce-premium-support-services

Regards,
Andrei Mazulnitsyn
nopCommerce team
0
6 years ago
Andrei i see that 3.90 is still having this security vulnerability, and i see on git that this work item is on hold, any reason why?https://github.com/nopSolutions/nopCommerce/issues/345
0
6 years ago
Hi,

I wouldn't say that it's a security vulnerability. It's a recommendation to increase security because none of standard users have direct access to database. But of course, we'll start working on it once more important tasks are finished
Interested in the dedicated Premium support services provided by core developers? Please visit https://www.nopcommerce.com/nopcommerce-premium-support-services

Regards,
Andrei Mazulnitsyn
nopCommerce team
0
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.