No announcement yet.

Security issue you should be aware of - customers can access others accounts.

  • Filter
  • Time
  • Show
Clear All
new posts

  • Security issue you should be aware of - customers can access others accounts.

    We recently ran into a "bug" which allows Customer A to have access to customer B's account.

    The Situation...

    -Customer A adds items to their cart but can't checkout for some reason. Customer A calls the store to finish the order over the phone.
    -Sales Associate goes to order in "Not Completed" orders and intends to to complete the order as a "phone order".
    -After clicking on the order, and then clicking on "complete" the phone order dialog is up.
    -Phone call gets disconnected before payment info can be made. And sales associate goes back to work on other orders.
    -Sales Associate needs to login to Customer B's account for some reason.


    -If Customer A goes back online to try and complete the order, they are now given customer B's account. They can see address, saved cards (not full numbers thankfully) and complete order history.

    The Problem...

    -"Completing" an order turns it into a phone order, which sets a cookie as soon as that button is pressed. Even though you never interact with the front end, 3dcart treats you like the person who is placing that not completed order.

    -If at any point from there on you login to the front end, it treats you like someone who was not logged in, but then who logged in, so it moves that not completed order to that account.

    -The issue is that Customer A still has their cookie assigning them to that not complete order. So now the system thinks they are Customer B.

    The Solution...

    The only solution now is to log completely out of the admin area if you start to complete a not completed order, but dont finish. This probably also means you have to clear your cookies, which is a hassle.

    I have brought this to 3dcarts attention. Their stance as usual with these things is that it's a "feature" not a "bug". However I feel that because the way the system works is not logical, it should be brought to people's attention so that you can avoid giving unintended access to customers.
    Last edited by NMTEACO; 03-24-2017, 05:51 PM.

  • #2
    Wow thanks for the heads up, I had no idea. Currently I have my checkout shut off, because I'm swamped, but I complete alot of incomplete orders where they get stopped at step one on the site via phone. I had no idea.


    • #3
      Our support is currently investigating this and waiting on the example order you were able to replicate this with. When the ticket was opened it was explained,

      " The scenario that you described happens only when you, as the store admin, log into the customer account from within the store manager. This happens because the browser cookie is set for an order, you then change users. Since the item is still in the cart when you log in with the second user, you can then checkout with that order.

      However, this can never happen for customers as one customer will never have the cookie set for a different customer for sessions. Additionally, in order to use the information stored in the cart account or the payment gateway, the customer would need to know the authentication information for the other user.

      There is no security breach, as it is described.

      To prevent this from happening on your end, when you are done with a session, make sure to click the "Log off" link. This will destroy the current session and prevent different information from displaying for subsequent orders.

      Carlos C.

      This wouldn't happen on the customer's end as stated but if you have an example please reply to the ticket (SVF-508-94372) with the order id


      • #4
        Hi 3dcart-william,

        I have spoken to Gonzalo to further explain the actual issue, he said he's looking into it.

        You're still not fully understanding the gravity of the situation. The login cookie allows the user of the uncompleted order to login as any user the admin logs into after they have visited the not complete order. It is a security issue, as the system should not be using the same cookies for the customers, and the admins.

        It boils down to this, a customer should never be able to login to another customer's account, no matter what the admin does.



        • #5
          Here is a redacted video to show the issue.

          Safari window to the right without login. Chrome window to the left with admin logged in.


          • #6
            I have had as similar issue in the past when working on an order and being logged into a customer's account, but I believe William is right -- since the cookie is set to YOUR machine, there is no way a customer can access that cookie and access any other customer's account. While your video describes the issue on your end, in order to fully test, you would have to be creating the initial order from another machine entirely and then completing the order on your machine. No?
            Joe Arbogast


            • #7
              I have done it in multiple machines... But I can't make a video of that. In the video they are two different browsers, which would not share cookies.

              I did it multiple times with the support person on the phone.


              • #8
                I wanted to update anyone who might have run into this issue before. Support has said they have fixed the issue, and will deploy it system wide.


                • #9
                  Just as a side note to this situation, in the "sort of, but not quite" category...

                  TODAY: Was logged into backend. Went to a customer order (a new, paid order in our system) to remove an item from the order and add a different one because customer called and wanted to change the order before we shipped it. Made the changes and saved the order.

                  A little while later I went to our site (front end) to look at something on a product page and check to see how some things were calculating for shipping in the View Cart page (all front-end stuff). Then I left to do other work.

                  3 hours later I just happened to look at the browser tab where our site was open on the front end and I see that I had been logged in as that customer whose order I'd worked on earlier in the back end and I had created an incomplete cart in her name/account which generated an incomplete order email sent to the customer.

                  Note that this had nothing to do with a phone order, or completing and incomplete order - this was all to do with a paid, new order in our system that I needed to edit and then re-save.

                  We've noticed weird stuff like this before but figured we were doing something weird/wonky. But today, I happened to be primed on this subject from having read this topic this morning. So I know exactly what I did and did not do.

                  Does this mean that any time we touch a customer order in the back end, we need to log out of our Admin before working on any other order or going to our site's front end? If so, it would be a monumental PIA.

                  Anyone able to clarify what's going on and if there's a way to avoid these problems?


                  • #10
                    Hi JustPoppin , I can confirm that adding an item to an order on the back end, also logs the admin user into the front end of the website for that user. Thanks for pointing that out!


                    • #11
                      Thank you NMTEACO for the confirm. I didn't have the time needed yesterday to test to my satisfaction to be able to say for sure that I knew what was happening.

                      I think that if this is going to be the case, for whatever reason, then 3dcart should probably provide a list or matrix or something like that which indicates what actions in the back end are known to log into the front end, and/or affect customer accounts on the front end, and the steps we should take in the back end to prevent us doing something that causes the issues so far described.


                      • #12
                        Hey guys,

                        Just bumping up an old post to make sure that this issue has been resolve for everyone. Our developers did look into and address this issue back in late March and we have not heard any new reports since then, but I do want to make sure that no one in here that was having that issue is still having it. If you are, please feel free to list down some replication steps so that we can have our developers look into and test this for you immediately.