So... if I read this right...
So... the owner of a fuckwit company, with a history of fuckwit responses to serious vulns and flaws... is a... fuckwit?
Or have I missed the point?
The owner of the e-commerce store management system OpenCart has responded with hostility to a security researcher disclosing a vulnerability in the product. Penetration tester Mattia Brollo brought a static code injection vulnerability to the attention of OpenCart by opening a GitHub issue on October 14, only to be met with …
Perhaps he should change his name to Wayne Kerr
Wayne Kerr electronics is a real company in Bognor Regis.
When I was a PSIRT member, we (collaboratively) drew up a fairly extensive document and flowchart for how to respond to reports of possible vulnerabilities from outsiders, whether they were customers or independent security researchers or whatever. Prompt and frequent communication and respect were top priorities.
No software vendor does itself any favors by attacking people who report possible vulnerabilities — even if the report is bogus, even if the reporters are looking for money, even if the reporter starts off hostile or unhelpful. (There are always the assholes who don't follow responsible-disclosure policies, for example.) But you can always say "no" politely; you can always explain, politely, why the report is wrong. And, of course, you should start by assuming there is a problem, and be quite sure before you decide there isn't one.
It's a weird way to respond to people taking their time to improve your product. Much of the time, reporters are pen testers that likely have the knowledge and expertise to offer a mitigation. Why a product maintainer wouldn't embrace genuine offers of help for free is quite beyond me.
Sounds like the author has a serious ego problem.
Perhaps he would learn more quickly if a bunch of day zero vulnerabilities are dumped on his lap as they are actively being used to attack his customers.
There is nothing like having angry customers on the phone or the product reputation going down the pan.
This should help in their anger management training and their learning of why vulnerability disclosure practices are like they are in the industry.
He should also learn about the payment schemes that others do for successfully identified bugs as obviously his own test teams are not doing their job.
More likely everything from the brainstem up has liquified into his offensive vomit.
My sympathy is for any smaller enterprise that directly or indirectly relies on any service that uses this nut job's software.
In the real face to face world this level of obnoxious would quickly lead to one face be removed or at least severely remodelled.
Rates at least a 110% defenestrationability score.
Looks like Opencart is an open source shopping thing. So I'd say their biggest competitor is Magento (which has open source, commercial, and hosted offerings I think), not those other SaaS platforms mentioned(though they could be the biggest in the space). Part of the point of having the source is being able to customize it beyond what SaaS allows.
I worked at a couple of orgs that used Magento enterprise(hosted on our own gear), though the last version that we used was 1.14 I think (which is probably 8-10 years old now).
This is altogether common in the world of the internet, alas.
Few months back, I discovered a code injection vulnerability actively being exploited on the NACUBO site. I emailed the site admins, nothing. Notified them via Twitter, they blocked me. Reached out to the guy listed as the site's head of information security on Linkedin, he told me to go away. Just checked right this moment, the vulnerability—which has the potential of yielding total control of the site to an attacker, and is still being actively exploited in the wild—is still there.
Some people take a security disclosure as a personal attack—a sort of "you're a dumbass loser, look at this thing you screwed up"—and get defensive. Folks like that are sadly commonplace.
"P.S
Also If anyone is looking for a good story I know a very good one that involves child traffickers, judges and police. It will make your blood boil!"
Kerr is, as an old friend used to say, 'completely booloo' as well as deeply irresponsible and thoroughly unpleasant.
Hopefully this story and that github discussion will dominate the google results whenever anyone searches Opencart Vulnerabilities.
Seriously though, labeling a vuln as 'spam', banning users for reporting vulns, replying with insults and profanities and locking down threads to collaborators only because someone politely points out a potential problem is a screaming klaxon, red flag waving signal of very real problems in the project and management of a project.
One to be avoided.
Normally I'm a late comer to these comments sections on El Reg (time zone differences mean I read the article the next day or 2, if it has been a weekend).
But sometimes that works in my favour - decided to check out the linked issues discussion - and it's been updated since this article was written... clearly he (or someone he knows) reads El Reg, and he has had an even bigger meltdown over the vuln reporting.
As my wife would say "Tee Eff Eff" (too fucking funny)
"Next time, let Open Cart BURN and stew in the mess."
I may have missed something, but how would a successful exploit harm OpenCart? It's not their servers getting pwned, it's those of the poor sods who installed the stuff. (Or maybe the poor sods' customers whose account info got swiped from the pwned servers...)
Question from an ignorant pre-victim: When I connect to an on-line store, how can I tell whether they're using OpenCart? If my info is going to get hacked, I'd prefer to order my purple pills and latex novelties somewhere else...
Interesting question. I took a quick look through the sources, hoping there would be a Javascript file with a distinctive name (since that's easy to recognize and block from the client side), but it looks like they're all common frameworks and similar crap except "common.js", which is a ... well, common ... name.
If the site serves opencart-logo.png, that's a giveaway, but a site could just change the code to not serve it.
I haven't looked further.