This is great. Truly unbelievable how quickly can someone dig their own hole.

Security guy’s blog post

The GitHub issue. Well worth a read.

  • AutoTL;DR@lemmings.worldB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    🤖 I’m a bot that provides automatic summaries for articles:

    Click here to see the summary

    The owner of the e-commerce store management system OpenCart has responded with hostility to a security researcher disclosing a vulnerability in the product.

    This was before tagging him and another user who highlighted a session hijacking issue affecting OpenCart versions also vulnerable to the code injection flaw, validating the seriousness of Brollo’s report, telling them to “FUCK OFF.”

    The incident bears resemblance to a similar case dating back to 2012 when members of the infosec community on a number of occasions drew OpenCart’s attention to its insecure password-hashing practices.

    Onlookers were forced to explain why alternatives should be implemented to increase the level of password security to an acceptable standard.

    Kerr responded to users, who flagged issues surrounding the methods for generating salts and the low number of iterations of its SHA1 algorithm, initially by questioning their experience.

    Main competitors include firms such as WooCommerce, Shopify, and Squarespace – all of which command a significantly greater market share compared to OpenCart, according to Statista’s data.


    Saved 77% of original text.