Good Service, Bad Security Practices
-
While I love the idea of using machine learning techniques via cloud services to filter spam, following good security practices is far more important. The plugin is super easy to install and the service is easy to use and seems to be pretty accurate. That said, I am running a multi vendor marketplace where security is very important. Unfortunately, the authors of this plugin have overlooked security. By default, user logins and registrations are captured with passwords being sent to the cloud service and stored in plain text. Not only is it inappropriate for admins to view user login info, but it is very unsafe for an external service to be storing my users’ info in plaintext on their servers of which I have no control. They list a way to exclude fields from being logged; however, after following the steps listed, the form errors out saying “password required” even though a password is entered. While I could have messed around unhooking the events from the login and registration fields, I don’t want to use a plugin with such a major security flaw. I didn’t want to fix that issue and find out later of some other issue through a lawsuit.
- The topic ‘Good Service, Bad Security Practices’ is closed to new replies.