hookActionCustomerAccountAdd $params shows unencrypted password

  • Not sure if its a bug, but I am working on a module that connect to new user registration hook (hookActionCustomerAccountAdd) and I have noticed that the $params return all POST data including the password field.

    I don’t know if its ok or not and if someone can use it to fetch users information.

    Any thoughts?

  • You mean, a malicious module could steal that password?

    Yes, that’s entirely possible. Badly written modules can do a lot of harm, even bring down the entire shop. As far as I can see, there is no protection against malformed/malicious modules, each of them receives 100% trust, no matter where it comes from or who installed it. Mistrusting them opens a large can of worms, just look at all the measures web browsers implement to run JavaScript & Co. inside kind of sandboxes.

    Guessing by the hook name I assume it wants to enable creating user accounts elsewhere, e.g. on an LDAP server or in a nearby blog, wiki, whatever. For such actions one needs the password.


Looks like your connection to thirty bees forum was lost, please wait while we try to reconnect.