hookActionCustomerAccountAdd $params shows unencrypted password

[yaniv14]

Not sure if its a bug, but I am working on a module that connect to new user registration hook (hookActionCustomerAccountAdd) and I have noticed that the $params return all POST data including the password field.

I don't know if its ok or not and if someone can use it to fetch users information.

Any thoughts?

[Traumflug]

You mean, a malicious module could steal that password?

Yes, that's entirely possible. Badly written modules can do a lot of harm, even bring down the entire shop. As far as I can see, there is no protection against malformed/malicious modules, each of them receives 100% trust, no matter where it comes from or who installed it. Mistrusting them opens a large can of worms, just look at all the measures web browsers implement to run JavaScript & Co. inside kind of sandboxes.

Guessing by the hook name I assume it wants to enable creating user accounts elsewhere, e.g. on an LDAP server or in a nearby blog, wiki, whatever. For such actions one needs the password.