Security issue

  • Hi WooCommerce Folks,

    Yes, there’s a huge security issue in your plugin code – you actually create a wonderful backdoor for spammers to ruin websites with tons of spam registrations.

    The spammers don’t even need to be very smart:

    1. They go to this site: https://www.getcreditcardnumbers.com/generated-credit-card-numbers (and this is just an example, I’m pretty damn sure there are tons of similar fake credit number generators)

    2. They download a JSON including, let’s say, 1000 fake credit card numbers.

    3. They create a macro – all this macro should do is
    / get a card number from the JSON
    / go to the targeted site
    / put a specific product to the cart
    / go to the checkout
    / fill the form with random field values (again, not so complicated to get random name, country, address, zip etc. data )
    / initiate the Stripe payment process, and use the fake credit number

    4. And voila, a spam registration is done.

    One of my clients has about 30000 orders and spam user accounts created this way, the amount of database trash slows down his site to such an extent that it is almost impossible to use it (backend, frontend both).

    Now, this is something I couldn’t believe when identifying the method – why don’t you create the user account only upon a successful purchase?

    I have some ideas why, but this is a backdoor that can’t be defended.
    No anti-spam plugin or service will protect a site from this type of attack.

    Please do something, and I’m very seriously asking you that do something _very urgently_!!! The fact that a WordPress site can be this easily polluted with hundreds of thousands of spam registrations in 2022 is terrifying.

    Thank you,
    Gabor/Lunule

Viewing 5 replies - 1 through 5 (of 5 total)
  • Rynald0s

    (@rynald0s)

    Automattic Happiness Engineer

    Hi @lunule

    This is super frustrating to say the very least and I am sorry your client has been a victim of this.

    No anti-spam plugin or service will protect a site from this type of attack.

    There are a few that can drastically reduce these, such as Anti-Fraud and reCaptcha for WooCommerce which protects your store from malicious and automated attacks (fake registrations and orders), exactly like this one.

    Cheers!

    Thread Starter Gabor Lippert

    (@lunule)

    Hi @rynald0s.a11n,

    Thanks for your reply – unfortunately, none of your recommendations solves the issue.

    1. The Anti-Fraud plugin cancels suspicious orders, but it doesn’t prevent the system from setting up/activating the spammer registration account. And the main issue is just the ease of bulk registring spam accounts the WooCommerce system or the Stripe add-on offers to spammers.

    A spammer can create a macro, as I mentioned earlier, and create 3000 or more spam accounts in an hour – as a result, the client might lose his hosting account (email server overhaul), but even if he has his own 3rd party email server solution, he can’t handle the 3000 delivery failure emails he gets each hour. Nor Gmail neither Outlook offers a way to set up a rule fur such emails to getting permanently deleted and bypass the trash folder.

    Again: this is a very easy way to completely destroy someone’s e-commerce activity with wordpress, if this someone needs Stripe payment support – and it’s either the core WooCommerce system or the Stripe add-on that makes this type of attack possible and pretty easy.

    Forcing your users to purchase various premium plugins to protect their site form a vulnerability you’re causing is a very unfair practice, no offense. Not to mention, these plugins don’t even do their job in a reliable way.

    2. reCaptcha for WooCommerce doesn’t even work. We tested this add-on, and it generated about 10 reCAPTCHA API related JavaScript errors on the front-end (with carefully confgured and correct setup in the backend), completely breaking all login forms and making logins completely impossible.

    Yup, seems to be a helpful addition lol.

    Once again – I mean no offense, even when more-than-average harsh. But if you review everthing I wrote here and above, you can see, and you can’t deny that this is a huge vulnerability issue on product level, and you’re letting it happen.

    I don’t even want to think about how long you’ve known about this problem and left it without a fix.

    As the problem is on product level, I think it’s obvious that it must be fixed on product level – instead of forcing WooCommerce users into further and unnecessary purchases of expensive and unreliable security add-ons.

    Hi @lunule

    I understand what you are saying and how frustrating this can be ??

    When talking about security, please note many models implement multi-layer security levels and the goal is to make any attack more and more difficult for the attacker. While there are free plugins that you can use to implement captchas and anti-fraud on your site, please note they could be not supported directly by WooCommerce but by third-party developers.

    Some steps to consider in this case are (This can help you to identify not valid orders and to accept only valid payments):

    FAQ My site was hacked

    Also, you can implement an anti-fraud solution please check here to learn more:
    https://stripe.com/es-us/radar

    I hope this helps, feel free to let us know if you need further help.

    Thread Starter Gabor Lippert

    (@lunule)

    Hi Igor,

    Thanks for your reply – but this is nothing but a typical company reply.

    If you read my messages you would know that:
    1. The site was not hacked – it’s being ruined by spammers using a security hole in the core WooCommerce system, specifically in its credit card payment implementation.
    2. My client doesn’t have a problem with orders, thus anti-fraud solutions can’t fix it.

    I’m closing this ticket as I obviously won’t get anything here but template company responses and happiness engineering.

    To all WooCommerce users who can’t run their businesses without offering Stripe or other credit card payment solutions: the only way to stop spammers using this vulnerability and keeping the credit card payment gateway active at the same time is using email or OTP (SMS) verification on the checkout page, preventing the WC system to create an account if the user doesn’t verify his eamil/identity. *

    (* Using SMS verification is more recommended,
    as fake email generators with an API to facilitate spammer activity are available the same way fake credit card number generators are. )

    Plugin Support Sandip Mondal – a11n

    (@sandipmondal)

    Hi @lunule,

    Apologies for misunderstanding your request and sorry to hear about the issue your client faced.

    I understand that your site has received a number of spam orders using fake credit card numbers. This is usually referred to as bot attacks.

    And, yes you are correct – to restrict such spam orders, one should use a reCaptcha/OTP verification service on their site.

    You can use reCapctha for WooCommerce or freely available plugins on www.ads-software.com that have not been verified by the WooCommerce team, like this one.

    Please let us know if you have any further questions.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Security issue’ is closed to new replies.