Watch out for the hackers ETS-Soft

[Cassim]

Hi, TB forum.

Just a fair warning.

Take a look on my post on the PS forum 

https://www.prestashop.com/forums/topic/1066237-watch-out-for-the-hackers-ets-soft/

 

Quote

Dear all fellow Prestashop addons buyers. 

I have been working with prestashop since 1.4, i have seen many things, i have worked with many developers, but never has i seen this. Never have i ever watch this happen on our site done by a developer. never did i see this coming. 

ETS-Soft are the creators of many great modules, they have a captain rating on Addons.prestashop.com and the return i got from Prestashop was that they are highly trusted. So they are also unhappy to see this from them. 

In short, i did buy Loyalty, referral & affiliate program (reward points) from them, activated it close to 2 month ago now, and have had a publisher running some affiliates using the right url from the module, but after what our internal records show, they did deliver a good amount of orders to us, but the module did record 0 orders from them. 

So we did contact ETS-Soft to help fix the module that was not working, they asked for ftp and backend access. So we did provide module ftp access (only module level) and we did provide backend access (only module access) We did provide them with a fixed product that they needed to use in order to generate test orders without having to pay for the order. As we sale digital content, there are no refund rights/options, so once a order is placed a payment will need be to handled. So we did provide a test item called "test" that they where able to access from /test in hope of making it super easy. As our system is live with many customers daily, we where unable to activate a testflow, so we asked them to use real payments, on our test product that was set to 1dk/1$/1€/1GBP so no matter what they will see a just 1 value charge on there card. 

But here did the first issue start. After a few hours from providing this, we got a message back from them, "we are unable to process the payment" It did show that they where located in VN and did use a creditcard from Spain. So our payment gateway did block the transaction. We told them that the location and card issue country had to match, and next try from them was still from VN, but this time with a creditcard from France. Witch again don't match, so again blocked. 

Now what happened next is where the real issue did start.

They did write again to us, that the payment failed, once again we did inform them about the missing match between location and creditcard. We did not hear other then a simple ""Hello, - Thank you for your note - We'll try out and be back soon My warmest regards,"" This was 13/7 05:06AM 

At 13/7 09:24am when i did meet into the office, i did see 2 orders from a test user. 3 sec later number 3 order did go in. But the orders where not on our test product /test, the order was not using creditcards, the order was on real products at a total cost of 158,63€, 3 orders with 3 different products. This 3 orders was placed with bankwire. Lucky for me, we did some time ago re-code the bankwire module, so that you needed a special userrank in order to see the bankwire payment option in the frontend, so it was not shown to all our other customers/guest. 

So my first question was how can this happen.? How can they

1. Activate the bankwire module? 
2. Place a order using that module, as normal guest/customers can't see it. (you need a special rank) 
3. Even get access to edit the information needed?

We have some internal recording system build into the system, to debug (hotjar a like) this was the first place to look, and what we found did really remove all trust from ETS-Soft.

Here is the flow ETS-Soft did go over. 

1. Try to order our product /test --> keep failing due to creditcard and location not matching (witch we told them) 
2. Upload a file called "tinyfilemanager.php" to there module folder. 
3. Access this file on frontend (the file was a filemanager system opening up our whole root folders and files) 
4. They did now open and copy the information from our "defines.inc.php" & settings.inc.php" file. 
5. Now using the settings.inc.php information accessing our database, to alter the needed information. 
6. They did add all user profiles right to there "test account", they did activate Bankwire module
7. They did alter the backend user profile rights to get access to our modules. 
8. Now they did go to the frontend and did place 3 orders for 3 different "real" items. (NOT the TEST item) 

When i then confront them with the issue here, the only responce i got from them was 
***

Hi, -- Due to the price change and no add cart button on the test product: https://i.imgur.com/7NXAu15.png -- So we did some tests in another item, and the module core still correctly works and generates the reward for the user. That means, the module functional -- You can try now to do the test with other items and payment methods, the reward should work correctly in the affiliate program --Should you got any issue with the program in a specific case or user account you are testing, please send us the information and the account to allow us assist you

***
I do agree with them, the price did change. As you also can see on the screenshot, but the funny thing here, why shell we change the price from 1$ on our own test product to 200$ ?? 
Our records show that the last change to the test product was made from the database and not within the backend, as if you change within the backend, the database field "last updated" will change to the current date. Witch is not the case with the test product it will have a updated time way back. 
Im not saying that they did change the price, as i can't prove they did it, but its funny that the price change happens after i did complain to them, that they did hack them access to our site, did alter our content on the website.

We have changed all passwords and information on our system, but if you already are logged into the database, you won't be logged out of the database with a password change. 


So the dear ETS-Soft own us 158€,  they don't want to honor the fact that they did break out trust, that they did hack them into our system, that they did alter the product price to get them look "better" 
They provide a simple free file as a "we are the good once" note.

So here is the 100% honest version of how ETS-Soft is working on this. 

Right now we are working with our layers to see if this case can hold in a curt. Right now we are talking amount and issues based on this little show here, that can cost us way more then the small 158€.

But please dear fellow forum, please watch out with ETS-Soft before providing them with access to your site, if you have any content that is not to be shared. 

This case has also been repported to Prestashop, and the are looking into it also. 

 

[x97wehner]

I tried that loyalty module a couple years ago, and even when working with them, they couldn't get it working right and, of course, the support time eventually ended. Definitely don't recommend them or that module either.

[Mediacom87]

Hi,

Personally, I recommend only one module: https://link.prestatoolbox.fr/en-all-in-one-rewards