Jump to content
thirty bees forum
  • 0

hookActionCustomerAccountAdd $params shows unencrypted password


Question

Posted

Not sure if its a bug, but I am working on a module that connect to new user registration hook (hookActionCustomerAccountAdd) and I have noticed that the $params return all POST data including the password field.

I don't know if its ok or not and if someone can use it to fetch users information.

Any thoughts?

1 answer to this question

Recommended Posts

  • 0
Posted

You mean, a malicious module could steal that password?

Yes, that's entirely possible. Badly written modules can do a lot of harm, even bring down the entire shop. As far as I can see, there is no protection against malformed/malicious modules, each of them receives 100% trust, no matter where it comes from or who installed it. Mistrusting them opens a large can of worms, just look at all the measures web browsers implement to run JavaScript & Co. inside kind of sandboxes.

Guessing by the hook name I assume it wants to enable creating user accounts elsewhere, e.g. on an LDAP server or in a nearby blog, wiki, whatever. For such actions one needs the password.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...