Warning: Cart66 Vulnerability

UPDATE: Please see this follow-up post.

Last summer we were working on an e-commerce site that integrated Cart66 with WordPress. As part of the development effort there, my team at Crowd Favorite discovered a vulnerability in Cart66.

We reported this to the Cart 66 team on July 11, 2011 and received the following response on July 12, 2011:

Alex,
We are aware of this issue and are working on a solution. I dont have a date for the fix but we’ll keep you posted.

Last week (on April 10, 2012) I received the following email:

Hello Alex,

We haven’t heard from you in 3 or more weeks so we are going to go ahead and solve this ticket. Do not hesitate to reply if you have any further questions.

My guess is that this is an automated email generated by their ticket system, but it reminded me I’d never properly followed up on the issue. We tested the current version of Cart66 (version 1.4.5) and the vulnerability is still present.

At WordCamp San Francisco last summer I posed a question during the Q&A session to get input from others on the best way to handle this situation. The agreed on course of action was to:

  1. Responsibly disclose the issue privately to the developer.
  2. Give the developer time to address the issue.
  3. Go public with the information if the issue is not addressed (it’s more important to let the users of the software know about the issue than it is to extend any “security by obscurity”).

As such, we plan to release the details of this vulnerability in two weeks (on April 30th).

We sincerely hope that the Cart66 team will address the vulnerability with a release that fixes the issue before this time (and responsibly notify their customers of the issue and the importance of upgrading). However, given the overall lack of response we’ve seen from the Cart66 team on this issue, my recommendation would be to evaluate other e-commerce solutions.