Yesterday we had an embarrassing reminder from Alex King concerning a vulnerability in Cart66 that he pointed out a long time ago. He went to check if the vulnerability was resolved and when he realized it was not resolved he let us know. So what happened and why did it take so long to get a fix for this problem?
Essentially what happened was that Alex submitted a support ticket to us describing a vulnerability and his support ticket was mistakenly left in a “Pending” state in our support ticket system. Pending tickets mean that we are waiting on additional information from the customer in order to resolve an issue. So this problem went unresolved for quite some time.
What are we going to do about it?
Yesterday Alex reminded us that this issue had been overlooked. This morning we released an update to Cart66 that resolves the problem. As embarrassing as this has been, it has helped us improve our support system. We have updated our support ticket system so that we can tag all tickets that have anything to do with security or vulnerabilities as “security” tickets. This will provide a quick and comprehensive way to see if there are any tickets concerning security. Now, even if a ticket is “pending” it won’t get overlooked. We will never “solve” a security ticket unless we have actually coded in a fix for the problem.
Often times people resolve their own issues and forget to let us know that they no longer need help. This results in “pending” tickets that are actually “solved” because the person solved their own problem and no longer needs help. Security tickets, however, can’t be treated that way. Tagging all security tickets will keep things like what happened with Alex’s ticket from happening again.
So what was the vulnerability?
The vulnerability was that you could potentially add products to the shopping cart that had invalid product options. This would result in customers being able to purchase products with unintended product options such as more than one option from the same option group. If the product option changed the price of the product, this could result in products with incorrect pricing being added to the cart.
The vulnerability had nothing to do with customers’ billing information or gaining access to any of the private information in your store or WordPress site.
How did we fix the problem?
When a product is added to the cart, each product option that is selected is compared against the product options defined for the product. Server side validation will only allow one option per option group to be selected and that option has to be an exact match for one of the defined options. If an invalid option is detected, the item will not be added to the shopping cart.
The update is available from the plugin updater in your WordPress site as well as in the downloads section of our website.
Everyone on the Cart66 team is embarrassed that this has happened and we are all very sorry that a serious issue like this one slipped through the cracks. I, Lee Blue, as the owner of Reality66, take responsibility for the oversight. Even though I’m not personally working with support tickets very often it is ultimately my responsibility to make sure things like this don’t happen. I have met with each member of our support team and explained that security tickets are always top priority and we have established new practices to prevent issues like this from happening again. Everyone on our team takes their job seriously. We are constantly fixing problems and adding new features. We know that people, including ourselves, run businesses with Cart66. We will continue to do the best we can to provide a stable, secure, and innovative platform for ecommerce.
Thank you for taking the time to read this and thank you for your interest in Cart66.