Follow us on Twitter X-Cart on Facebook Wiki
Shopping cart software Solutions for online shops and malls

Displaying customer passwords to admin

 
Reply
   X-Cart forums > X-Cart 4 > Dev Questions
 
Thread Tools Search this Thread
  #51  
Old 11-21-2011, 05:54 AM
  JWait's Avatar 
JWait JWait is offline
 

X-Man
  
Join Date: Nov 2005
Location: California
Posts: 2,440
 

Default Re: Displaying customer passwords to admin

carpeperdiem, seriously, what is the problem? Its not like anything other than a customer's address, email address, and phone number is going to be associated with their account. All credit card information had better be separate or you have much bigger problems than someone being able to see a password.

And its not just x-cart, as I pointed out in my previous post, anyone using Firefox is able to see every password displayed on a screen on any website.
__________________
Two Separate X-Cart Stores
Version 4.4.4 Gold - X-AOM - Vivid Dreams Aquamarine (modified) - Linux
Mods - Newest Products - View All -, and a few others. Numerous upgrades from 4.0.x series.
Integrated with Stone Edge Order Manager + POS

Version 4.1.12 Gold (fresh install) - X-AOM - Linux
Mods - XCSEO free
Reply With Quote
  #52  
Old 11-21-2011, 06:02 AM
  cflsystems's Avatar 
cflsystems cflsystems is offline
 

Veteran
  
Join Date: Apr 2007
Posts: 14,190
 

Default Re: Displaying customer passwords to admin

I agree with carpeperdiem - the password is there for a reason. It should not be even showing as a field in admin. There is no need for it (admin can always login as that customer). Admin should not be able to see or modify customer passwords. If needed customers can reset password or create new account.
Call your bank and ask them to tell you the password on your account - they won't, they simply can't, it is not showing for them. But they can tell you all the other info - name, address, phone, username...
__________________
Steve Stoyanov
CFLSystems.com
Web Development
Reply With Quote
  #53  
Old 11-21-2011, 06:09 AM
 
carpeperdiem carpeperdiem is offline
 

X-Guru
  
Join Date: Jul 2006
Location: New York City, USA
Posts: 5,399
 

Default Re: Displaying customer passwords to admin

Passwords are expected to be private and encrypted. That is my expectation as a customer.

Can Amazon or Oldnavy or iTunes or other billion dollar stores see their customer passwords from the backend? I am fairly confident they can't. Why should puny-ass x-cart stores want to behave differently?

It's about trust.
If the xcart platform is to be taken seriously by customers, we (merchants) better treat our customers like the goldmine they are.

There is no justification for unencrypted passwords, anywhere. None. There are tools to recover forgotten passwords, and an admin can make a new temp password (and require a password change on first login), built in.

The principle here is privacy, and an expectation of privacy between customer and store. By circumventing this and using an unencrypted password, a store breaks that trust.
__________________
xcart 4.5.4 gold+ w/x-payments 1.0.6; xcart gold 4.4.4
Reply With Quote
  #54  
Old 11-21-2011, 07:28 AM
  JWait's Avatar 
JWait JWait is offline
 

X-Man
  
Join Date: Nov 2005
Location: California
Posts: 2,440
 

Default Re: Displaying customer passwords to admin

Quote:
Originally Posted by carpeperdiem
Can Amazon or Oldnavy or iTunes or other billion dollar stores see their customer passwords from the backend? I am fairly confident they can't.

While you are fairly confident they can't, they most likely can. How else can they tell you pretty much everything about your account?
__________________
Two Separate X-Cart Stores
Version 4.4.4 Gold - X-AOM - Vivid Dreams Aquamarine (modified) - Linux
Mods - Newest Products - View All -, and a few others. Numerous upgrades from 4.0.x series.
Integrated with Stone Edge Order Manager + POS

Version 4.1.12 Gold (fresh install) - X-AOM - Linux
Mods - XCSEO free
Reply With Quote
  #55  
Old 11-21-2011, 07:40 AM
 
carpeperdiem carpeperdiem is offline
 

X-Guru
  
Join Date: Jul 2006
Location: New York City, USA
Posts: 5,399
 

Default Re: Displaying customer passwords to admin

Of course they have access to account data. That doesn't mean they can see an encrypted password. That's the point of this -- OF COURSE the merchant or bank NEEDS to have 100% access to all account data -- but the customer password will and should always remain encrypted. We've all had password issues of some sort over the years - and most systems are designed to NOT let a call center or admin in the backend EVER see a customer password. TO protect the merchant as much as the customer.
That's the point. Not about a call center flunky knowing your checking account balance -- the systems are designed to prevent passwords from being visible to anyone but you. And if our system permits this, then golly geez it's time to fix this design flaw immediately.

I can't think of ANY circumstances where an admin needs to know the actual password of a customer. There are NO situations where this is needed. Period. In the case of a forgotton password, use password recovery. In the case of a username or email address change, use the admin, force a new temp password with a required password change on first login. I don't EVER want to know my customers passwords. I expect this security hole to be patched.

Can we declare this a product default?
Do the PCI folks care about this "feature"
__________________
xcart 4.5.4 gold+ w/x-payments 1.0.6; xcart gold 4.4.4
Reply With Quote
  #56  
Old 11-21-2011, 07:57 AM
  JWait's Avatar 
JWait JWait is offline
 

X-Man
  
Join Date: Nov 2005
Location: California
Posts: 2,440
 

Default Re: Displaying customer passwords to admin

[quote=carpeperdiem]And if our system permits this, then golly geez it's time to fix this design flaw immediately./QUOTE]

That is my point, its not just "our system". Anytime anyone is looking at a web page anywhere that has a password field on it anyone can decrypt it with a simple web browser addon.

That should be reason enough to not include any really important information like credit card numbers, social security numbers, tax numbers, etc. to be directly associated with that password.
__________________
Two Separate X-Cart Stores
Version 4.4.4 Gold - X-AOM - Vivid Dreams Aquamarine (modified) - Linux
Mods - Newest Products - View All -, and a few others. Numerous upgrades from 4.0.x series.
Integrated with Stone Edge Order Manager + POS

Version 4.1.12 Gold (fresh install) - X-AOM - Linux
Mods - XCSEO free
Reply With Quote
  #57  
Old 11-21-2011, 09:13 AM
 
carpeperdiem carpeperdiem is offline
 

X-Guru
  
Join Date: Jul 2006
Location: New York City, USA
Posts: 5,399
 

Default Re: Displaying customer passwords to admin

I am declaring this a product defect.
User passwords should NEVER be displayed in the admin, even if they are hidden by dots.
__________________
xcart 4.5.4 gold+ w/x-payments 1.0.6; xcart gold 4.4.4
Reply With Quote
  #58  
Old 11-21-2011, 09:59 AM
  cflsystems's Avatar 
cflsystems cflsystems is offline
 

Veteran
  
Join Date: Apr 2007
Posts: 14,190
 

Default Re: Displaying customer passwords to admin

Quote:
Originally Posted by JWait
That is my point, its not just "our system". Anytime anyone is looking at a web page anywhere that has a password field on it anyone can decrypt it with a simple web browser addon.

This is because the password is displayed decrypted in password text field in admin. If it is not displayed at all the FF dev tools will not be able to show it to you
__________________
Steve Stoyanov
CFLSystems.com
Web Development
Reply With Quote
  #59  
Old 11-22-2011, 05:53 AM
  JWait's Avatar 
JWait JWait is offline
 

X-Man
  
Join Date: Nov 2005
Location: California
Posts: 2,440
 

Default Re: Displaying customer passwords to admin

Quote:
Originally Posted by cflsystems
This is because the password is displayed decrypted in password text field in admin. If it is not displayed at all the FF dev tools will not be able to show it to you

I realize that, but since passwords are displayed encrypted at least 99.9% elsewhere on the internet it seems kind of ludicrous to complain about its presence in x-cart, particularly when it IS displayed encrypted by default. To call it a "defect" is ridiculous IMO. If you don't want to see the password then don't use the mod or addon, but that isn't going to make others not use them.
__________________
Two Separate X-Cart Stores
Version 4.4.4 Gold - X-AOM - Vivid Dreams Aquamarine (modified) - Linux
Mods - Newest Products - View All -, and a few others. Numerous upgrades from 4.0.x series.
Integrated with Stone Edge Order Manager + POS

Version 4.1.12 Gold (fresh install) - X-AOM - Linux
Mods - XCSEO free
Reply With Quote
  #60  
Old 11-22-2011, 06:00 AM
 
carpeperdiem carpeperdiem is offline
 

X-Guru
  
Join Date: Jul 2006
Location: New York City, USA
Posts: 5,399
 

Default Re: Displaying customer passwords to admin

Quote:
Originally Posted by JWait
I realize that, but since passwords are displayed encrypted at least 99.9% elsewhere on the internet it seems kind of ludicrous to complain about its presence in x-cart, particularly when it IS displayed encrypted by default. To call it a "defect" is ridiculous IMO. If you don't want to see the password then don't use the mod or addon, but that isn't going to make others not use them.

No. It is NOT displayed encrypted. It is simply displayed (unencrypted), with a * character hiding the output. But the underlying password is in the html, and the code is using a browser (client side) feature to "hide" the password. That's useless.

X-cart needs to ENCRYPT the password, or simply not display it at all.

I stand by my statement, "design defect".
__________________
xcart 4.5.4 gold+ w/x-payments 1.0.6; xcart gold 4.4.4
Reply With Quote
Reply
   X-Cart forums > X-Cart 4 > Dev Questions


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -8. The time now is 05:39 AM.

   

 
X-Cart forums © 2001-2020