Support » Plugin: WooCommerce » WP security issue with media files & lack of WC encryption

  • Resolved magicpowers

    (@magicpowers)


    Hi
    I have identified a WP security issue with media files which is very serious when you sell virtual downloadable products eg audio files which are stored in the media library.

    These files are fully accessible by the URL of the media file where they can be simply downloaded for free. Many people don’t know about this.

    One way to prevent this is to disable Google indexing on those media pages through the SEO plugin that gives such an option.

    However, the issue doesn’t end here. If your file is called My Wonderful Meditation.mp3 it’s a no brainer to figure out the url to the media page with this file and download it for free. So I have renamed my audio files and the slugs to random codes of letters and numbers. This has changed the url but the issue is still unresolved as WC is NOT encrypting my purchased audio files.

    When I test download my purchased audio file, it has its original name – instead of encrypted. Yes, on the order it shows the name I entered on the product page, but the actual file which is downloaded has its original name. So that file name can be easily used to figure out the full url to the media page from which the file can be downloaded for free by someone else (who hasn’t paid for it).

    Questions:

    1. Does anyone know how to protect the media library pages from being accessed by their url by anyone, and how to protect the audio files they contain from being played and downloaded?

    2. Why doesn’t WC encrypt the file name being downloaded?

    3. This is a very serious security issue with the WP media library where all downloadable products like audio files, ebooks etc are stored. Does WC recommend any other place on my website were my virtual downloadable products can be SECURELY stored with NO external access?

    I would appreciate your advice.

Viewing 5 replies - 1 through 5 (of 5 total)
  • Stef

    (@serafinnyc)

    Someone will still be able to copy the download link from their orders page or the order email and share that URL to others. However, you can require that the user be logged in to download by going to WooCommerce > Settings > Products > Downloadable products and enable the Downloads require login. More on this is shown here:

    https://docs.woocommerce.com/document/digital-downloadable-product-handling/#section-1

    thanks for your reply but it still doesn’t answer my questions above and it’s not applicable to me as I don’t require my customers to create an account and log in when they simply want to purchase my products. That would be a deterrent.

    Make sure WooCommerce > Settings >Products > Downloadable Products > File Download Method is not set to “Redirect only”. Set it to “Force Downloads” for example, this will protect the url.

    • This reply was modified 5 months, 3 weeks ago by  Soft79.

    Good point, thank you.

    I have it set to: X-Accel-Redirect/XSendfile – mainly because the Help note says that “some servers may serve large files unreliably” in forced downloads.

    If I set it to “force downloads”, how and when will the file be delievered? How will the url be hidden?

    I want my customers to receive or be able to download the file immediately after the payment has been processed successfully.

    thanks

    • This reply was modified 5 months, 3 weeks ago by  magicpowers.

    The url will be in the confirmation mail. It contains stuff like the order number and some kind of hash to identify the order/customer IIRC. Just place an order and see.

Viewing 5 replies - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.