Good Service, Bad Security Practices

  • Telectronite

    (@telectronite)


    8 years, 3 months ago

    While I love the idea of using machine learning techniques via cloud services to filter spam, following good security practices is far more important. The plugin is super easy to install and the service is easy to use and seems to be pretty accurate. That said, I am running a multi vendor marketplace where security is very important. Unfortunately, the authors of this plugin have overlooked security. By default, user logins and registrations are captured with passwords being sent to the cloud service and stored in plain text. Not only is it inappropriate for admins to view user login info, but it is very unsafe for an external service to be storing my users’ info in plaintext on their servers of which I have no control. They list a way to exclude fields from being logged; however, after following the steps listed, the form errors out saying “password required” even though a password is entered. While I could have messed around unhooking the events from the login and registration fields, I don’t want to use a plugin with such a major security flaw. I didn’t want to fix that issue and find out later of some other issue through a lawsuit.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Denis

    (@shagimuratov)

    8 years, 3 months ago

    Hello,

    Thank you for feedback!

    Do you use any special (not standard) plugin to build a registration form? CleanTalk doesn’t capture the password field for standard registration form as well as BuddyPress or bbPress registrations forms. If you let us know the plugin name, we will fix our plugin to except the password field capturing.

    Also, please set option ‘Don’t save approved requests’ in account settings,
    https://cleantalk.org/my/profile

    In this way the service stores only IP addresses from received requests. All other fields fields are removed completely.

    To remove any private data already stored in our service please go to Anti-spam log,
    https://cleantalk.org/my/show_requests?int=week

    Then click ‘Delete all approved requests’ to remove the data from our servers.

    In conclusion, we do our best to keep plugin secure with personal data, but with some not widely used WordPress plugins we have to fix our plugin/service to resolve a secure issue.

    Thank you!

    Vlad Cleantalk

    (@vlad-cleantalk)

    8 years, 3 months ago

    Hello!
    Sorry for this issues!
    We’re not logging passwords from standart registration forms, but we can’t predict purpose of non-standart forms, so we intercept all data to analyze it. We have functionality for excluding any fields from sending to our servers, it described in our FAQ. Also, you can create ticket in our ticket system and we can discuss your problem. If your marketplace plugin/CMS is widely used – we’ll add exclusions in plugin, and this problem will disappear.
    So, your problem could be solved during few hours, and there is no reason to write negative reviews.

    Vlad Cleantalk

    (@vlad-cleantalk)

    8 years, 3 months ago

    By the way, option “Check all post data” warns you, that all incoming data will be intercepted.
    Also, you can disable saving logs in your CleanTalk Dashboard.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Good Service, Bad Security Practices’ is closed to new replies.