Dear Site Owners,
I hired ForeFront Infotech (Jatin) for a custom API changes based on the Seven Spikes API and Mobile App development. First of all, all the screens and business logic I have provided to him, he put my app as it for Sale on Nopcommerce Marketplace. After raising official complaint to NopCommerce team, he removed that demo of my app from PlayStore but later we learned he is still selling my Android App to everyone.
Recently I thought to upgrade my API from 4.2 to 4.4 and while exploring the source, we learned that there is not Authentication System in place and if you will call via API any data, server will return. Yes, Including all of your customers data. So, If I know you bought a plugin or App from him, I can go to your site, Query your Customers data and will have everything about them including their shipping addresses e.t.c.
I reached-out to him today to ask why there is no Authentication system in place as it is there in the first original Seven-Spikes version? His response was, as his developers were struggling to overcome the issue, they completely removed it. If you want, pay me and I will enable it.
So, If you bought an API and APP from him and dont want your competitors to steal all the information about your customers, disable this API ASAP.
Here you can try go to http://www.YOURDOMAIN.com/api/customers and you should see your entire customer list with their shipping addresses without any authentication.
Thanks