Security - order detail disclosure to thir parties

[RedJohn]

Hi, sorry for my English.
I have a problem viewing the details of the order (a link from an email client). We have for example something like this:

domain.pl/index.php?option=com_virtuemart&view=orders&layout=details&order_number=013408&order_pass=xxxxx

These are the details of the customer, available for virtually any user or bot.

If someone has installed the tracking code such as Google, or some other code that might be a problem.

I would have at least put there tag noindex, nofollow, noarchive, or somehow better protect the personal data.

if think about "$document->setMetaData('robots', 'noindex, follow, noachive');" but this don't work.

[Milbo]

You think that google could try to hacke the orders?

[RedJohn]

People have a variety of browsers, plug-ins and toolbars.
GWT (Google webmasters tools) or GA (google analitics) also collects information if you perform tracking code. Just like other similar applications.
I would prefer that these sites were not included in the google index or something.

[RedJohn]

I think the robots.txt file works on different principles.
You can exclude the entire floder or a single file.
Orders is a lot and does not make sense for everyone to create an entry in the robots.txt file

[RedJohn]

robots.txt file is taken into account by the respected search engine such as Google.
Noindex and nofollow attribute is also taken into account.
It Happens that bots follow the locations excluded, but respect the entry indexation.

If it seems to you that the indexation of contracts is impossible.
Example Request for Google:

allinurl: layout details order_number

[Jörgen]

Hello

This looks like disaster in the happening. Here are orders from several Virtuemart websites, fully visible out in the open.
How can we stop this from beeing googled ? To me this looks like is a serious security issue, at least a serious privacy issue.

Thanks You RedJohn for bringing attention to this.

Jörgen @ Kreativ Fotografi

[Maxim Pishnyak]

robots.txt file is taken into account by the respected search engine such as Google.

and? I told you that robots.txt is useless in your case
wonna block google on orders web page? use one of seo extensions from joomla.org
I can't see that choosing and utilizing one of such extensions is a disaster anyhow

[RedJohn]

I think it is so serious that it should be implemented in the source VM.

You can recommend a plugin?

[AH]

Maxim :- No one should have to implement a third party SEO plugin, that does not make sense. (Read the hundreds of post regarding how well VM is designed to do a good job for seo)

The VM team should address this as a matter of urgency to prevent such disclosure!

• How/why is it happening
• What can be done now to prevent it happening/access
• Long term solution

Disclosing personal information to third parties is illegal in most countries, without even considering the reputational and risk issues for any large trader.

You think that google could try to hacke the orders?

No Milbo, but I know a there will be many dubious people who will exploit it instead!

Nice for third party fraudsters to get hold of:-

Full email
Full Address
Phone number

And be certain that this problem will be on the bulletin boards in no time!

[Milbo]

This looks like disaster in the happening. Here are orders from several Virtuemart websites, fully visible out in the open.

Hmm? No, the orders are protected by a login name ( the order number) and a password (the order password). If you think that google tries to hack your account, then you can say "It is a disaster, the backend of joomla is fully visible". No it is not.

In case you use vm2.0.4 or lower, yes there is a bug so that you can reveal the order info, but not later.

We can discuss to add a blocking feature, which blocks every IP for an hour which tried it 5 times. We can make the password longer, but people will hate it.

We can add a tracking feature, which keeps track of all strange actions. When someone tries to login the Backend with wrong name/password. When someone tries to login joomla and when someone tries to see the orders.

If you consider passwords as unsecure, then I just can tell you nothing is secure. 

[AH]

Milbo

So is it the case that this cannot happen in Vm 2.0.21e

and that these cases are dut to an older release of VM 2?

How does google crawl such urls??

[Milbo]

It is the same like /administrator,....

What Red John means is just that you can reach the orders with domain.pl/index.php?option=com_virtuemart&view=orders&layout=details&order_number=013408&order_pass=xxxxx,

But the order_number and the order_pass must fit to eachother. So what he fears is that google sees domain.pl/index.php?option=com_virtuemart&view=orders&layout=details and then tries any order_number and password.

So in general he fears that the combination of order_number and order_pass ist not safe enough. But the usual order_number has at least two random chars in it and the password 5. So we have 7 chars, this are ~62 power 7 possibilities or = 3 521 614 606 208. Lets assume every request takes 300 ms. So for an attack with 50% chance you need 0.3s * 1760807303104 = 528242190931,2 seconds, or 146733941,92 hours, or 16750 years.

There maybe an error in my calculation, but if you have 800 years or 16750, I think there is no difference. We consider things as safe, when an attack with 50% chance needs longer than 20 years. We can increase the length of hte order_pass, then we have 218 340 105 584 896 possibilities and it would still not hacked if someone started the last ice age ;-). Consider that attacks on a server are not done like with your zip. You can attack an encrypted file  maybe 5k times per second. Not 4 times like a php interface.

[RedJohn]

It's not about breaking the code and its strength.
It's about google index content.
Much helped by the addition of
"<meta name="robots" content="noindex, noachive" />"

Why these pages appear in google?
In my opinion:
1 Therefore, it is permitted that indexing and cache.
2 Perhaps the extras plugins in Virtuemart, browser plug-ins, code tracking, statistics.

Tracking code runs on virtually every page (eg statistics).
Tracking code and other extras get on the site and send it to the index.

I am entering the name and surname does not want to eg google was like a tray that I bought, where and when.


Again, sorry for my English.
I hope you understand me;)

[Milbo]

how should google find it? How do you access the order data without knowing the password?

[AH]

Are you saying that because you have google analytics running

Google will index/crawl the url when a customer visits the page.

Just because it has reported it to analytics?