back to article OpenCart owner turns air blue after researcher discloses serious vuln

The owner of the e-commerce store management system OpenCart has responded with hostility to a security researcher disclosing a vulnerability in the product. Penetration tester Mattia Brollo brought a static code injection vulnerability to the attention of OpenCart by opening a GitHub issue on October 14, only to be met with …

  1. The Dogs Meevonks Silver badge

    So... if I read this right...

    So... the owner of a fuckwit company, with a history of fuckwit responses to serious vulns and flaws... is a... fuckwit?

    Or have I missed the point?

    1. Doctor Syntax Silver badge

      Re: So... if I read this right...

      "Or have I missed the point?"

      Let's hope those looking for shopping cart functionality don't miss it either.

    2. simonlb Silver badge

      Re: So... if I read this right...

      Perhaps he should change his name to Wayne Kerr.

      1. Alan J. Wylie

        Re: So... if I read this right...

        Perhaps he should change his name to Wayne Kerr

        Wayne Kerr electronics is a real company in Bognor Regis.

        1. David 132 Silver badge

          Re: So... if I read this right...

          Juan, then. Juan Kerr.

        2. chivo243 Silver badge

          Re: So... if I read this right...

          Besides the funny play on words, I thought I had heard that name before, but some research shows that Wayne Kerr is a mashing of the Chicago Bulls announcers from the Michael Jordan era, Wayne Larrivee and Johnny “Red” Kerr…

          The joys of age and the mind….

    3. Anonymous Coward
      Anonymous Coward

      Next time...

      Publish the vuln on their Twitter account.

    4. b1k3rdude

      Re: So... if I read this right...

      No, your spot on fella!

      1. Anonymous Coward
        Anonymous Coward

        Re: So... if I read this right...


    5. Agamemnon

      Re: So... if I read this right...

      That was my take-away.

      It's guaranteed I won't be using that code in a project.

    6. Anonymous Coward
      Anonymous Coward

      Re: So... if I read this right...

      Judging by the single downvote on your comment, you may have missed that he frequents The Register or at least signed up to disprove you with a downvote...

  2. Phil O'Sophical Silver badge

    If Kerr cares so little for security of his customers' users' data, it sounds like an excellent reason to avoid any business that uses OpenCart.

    1. Doctor Syntax Silver badge

      It also sounds like an excellent reason for businesses to avoid using OpenCart.

  3. Wanting more

    Would we be even reading about this if the owner had responded "thank you for the report, we've incorporated the fix."? I learnt long ago that being boring is often the best policy.

    1. Michael Wojcik Silver badge

      When I was a PSIRT member, we (collaboratively) drew up a fairly extensive document and flowchart for how to respond to reports of possible vulnerabilities from outsiders, whether they were customers or independent security researchers or whatever. Prompt and frequent communication and respect were top priorities.

      No software vendor does itself any favors by attacking people who report possible vulnerabilities — even if the report is bogus, even if the reporters are looking for money, even if the reporter starts off hostile or unhelpful. (There are always the assholes who don't follow responsible-disclosure policies, for example.) But you can always say "no" politely; you can always explain, politely, why the report is wrong. And, of course, you should start by assuming there is a problem, and be quite sure before you decide there isn't one.

  4. cornetman Silver badge

    It's a weird way to respond to people taking their time to improve your product. Much of the time, reporters are pen testers that likely have the knowledge and expertise to offer a mitigation. Why a product maintainer wouldn't embrace genuine offers of help for free is quite beyond me.

    Sounds like the author has a serious ego problem.

    1. Doctor Syntax Silver badge

      "Sounds like the author has a serious ego problem."

      And that security is an afterthought.

      1. Lennart Sorensen

        More like not a thought at all. It's "safe enough" after all. At least according to someone that doesn't actually understand security.

        1. Arthur the cat Silver badge

          It's "safe enough" after all. At least according to someone that doesn't actually understand security.

          Reminiscent of newbies who create their own encryption algorithms "that must be secure because I can't break it and I invented it".

    2. Andy Non Silver badge

      It doesn't encourage other security testers to look for flaws in OpenCart. Sooner or later this will come back and bite OpenCart in the ass when hackers show more interest in their software than testers.

      1. keithpeter Silver badge

        @Andy Nom and all

        Might encourage mobs of security testers to pile on and start searching for vulns.

        Just to see who can provoke the rudest and most ignorant response.

        See icon.

        1. bemusedHorseman

          OpenCart GitHub drinking game

          One shot for every expletive he uses in a reply to your pull request. Guarantee you'll hit the Ballmer Peak in minutes.

        2. Dwarf

          Perhaps he would learn more quickly if a bunch of day zero vulnerabilities are dumped on his lap as they are actively being used to attack his customers.

          There is nothing like having angry customers on the phone or the product reputation going down the pan.

          This should help in their anger management training and their learning of why vulnerability disclosure practices are like they are in the industry.

          He should also learn about the payment schemes that others do for successfully identified bugs as obviously his own test teams are not doing their job.

    3. cornetman Silver badge

      Yeah, I just read through the linked issue conversation. Crikey, that escalated fast. The reporters were factual and polite and Kerr just completely lost it.

      I suspect that he has some serious real world issues to cause that level of reaction.

      1. heyrick Silver badge

        "narasasium" perhaps?

    4. Bebu Silver badge

      Sounds like the author has a serious ego problem.

      More likely everything from the brainstem up has liquified into his offensive vomit.

      My sympathy is for any smaller enterprise that directly or indirectly relies on any service that uses this nut job's software.

      In the real face to face world this level of obnoxious would quickly lead to one face be removed or at least severely remodelled.

      Rates at least a 110% defenestrationability score.

  5. Nate Amsden

    missing competitor

    Looks like Opencart is an open source shopping thing. So I'd say their biggest competitor is Magento (which has open source, commercial, and hosted offerings I think), not those other SaaS platforms mentioned(though they could be the biggest in the space). Part of the point of having the source is being able to customize it beyond what SaaS allows.

    I worked at a couple of orgs that used Magento enterprise(hosted on our own gear), though the last version that we used was 1.14 I think (which is probably 8-10 years old now).

  6. trevorde Silver badge

    Elon Musk, is that you?

    1. ecofeco Silver badge

      Our modern "betters" are all Elmo Musk.

  7. The Oncoming Scorn Silver badge

    OpenCart's Attention To Its Insecure Password-hashing Practices.

    This might be explained after seeing Kerrs spelling in his written responses, he's doing it himself & can't break the habit for use in normal correspondence.

  8. Franklin

    This is altogether common in the world of the internet, alas.

    Few months back, I discovered a code injection vulnerability actively being exploited on the NACUBO site. I emailed the site admins, nothing. Notified them via Twitter, they blocked me. Reached out to the guy listed as the site's head of information security on Linkedin, he told me to go away. Just checked right this moment, the vulnerability—which has the potential of yielding total control of the site to an attacker, and is still being actively exploited in the wild—is still there.

    Some people take a security disclosure as a personal attack—a sort of "you're a dumbass loser, look at this thing you screwed up"—and get defensive. Folks like that are sadly commonplace.

  9. anothercynic Silver badge

    Ohhhh, Connor/El Reg...

    He's calling you out!

    He's having a real meltdown over this... Bless him (and his heart, because it's looking like he's heading for a coronary).

  10. Martin-73 Silver badge


    What a knob jockey :)

  11. BartyFartsLast

    That last sentence speaks volumes, Kerr is a conspiracy nutjob:


    Also If anyone is looking for a good story I know a very good one that involves child traffickers, judges and police. It will make your blood boil!"

    Kerr is, as an old friend used to say, 'completely booloo' as well as deeply irresponsible and thoroughly unpleasant.

    Hopefully this story and that github discussion will dominate the google results whenever anyone searches Opencart Vulnerabilities.

    Seriously though, labeling a vuln as 'spam', banning users for reporting vulns, replying with insults and profanities and locking down threads to collaborators only because someone politely points out a potential problem is a screaming klaxon, red flag waving signal of very real problems in the project and management of a project.

    One to be avoided.

    1. Doctor Syntax Silver badge

      Re: That last sentence speaks volumes, Kerr is a conspiracy nutjob:

      It's also a very effective way of drawing the attention of those you really shouldn't want to find out about your shortcomings.

      1. BartyFartsLast

        Re: That last sentence speaks volumes, Kerr is a conspiracy nutjob:

        Definitely, if your product and personality is sub-standard then it's a great way to let everyone know.

  12. b1k3rdude

    @Conner jones, your being accused of lazy journalisim -


  13. Scott 26

    Normally I'm a late comer to these comments sections on El Reg (time zone differences mean I read the article the next day or 2, if it has been a weekend).

    But sometimes that works in my favour - decided to check out the linked issues discussion - and it's been updated since this article was written... clearly he (or someone he knows) reads El Reg, and he has had an even bigger meltdown over the vuln reporting.

    As my wife would say "Tee Eff Eff" (too fucking funny)

  14. Groo The Wanderer Silver badge

    Next time, let Open Cart BURN and stew in the mess. Why deal with people who respond to assistance and help with profanity and abuse?

    1. Mister Dubious

      But who's in the stew?

      "Next time, let Open Cart BURN and stew in the mess."

      I may have missed something, but how would a successful exploit harm OpenCart? It's not their servers getting pwned, it's those of the poor sods who installed the stuff. (Or maybe the poor sods' customers whose account info got swiped from the pwned servers...)

      Question from an ignorant pre-victim: When I connect to an on-line store, how can I tell whether they're using OpenCart? If my info is going to get hacked, I'd prefer to order my purple pills and latex novelties somewhere else...

      1. Michael Wojcik Silver badge

        Re: But who's in the stew?

        Interesting question. I took a quick look through the sources, hoping there would be a Javascript file with a distinctive name (since that's easy to recognize and block from the client side), but it looks like they're all common frameworks and similar crap except "common.js", which is a ... well, common ... name.

        If the site serves opencart-logo.png, that's a giveaway, but a site could just change the code to not serve it.

        I haven't looked further.

  15. Alan Bourke

    That Github issue is hilarious.

    Complete with conspiracy tinfoil hattery and everything, it's *chefkiss*

  16. Anonymous Coward
    Anonymous Coward

    Read his last paragraph. Kerr has gone full QAnon

  17. Narpington

    An angry man responds

    LOL, Kerr has left a long and (of course) bad-tempered comment about this story on the Github bug page.

  18. spleach

    History repeats itself

    Not the first time that the code author has had flaws pointed out in his code and he reacted unnecessarily aggressive to those offering constructive criticism. What a wanker and ignorant developer stuck in the dark ages!

  19. Roger Kynaston

    Is this Kerr a Reg commentard?

    I rather hope so as he can furhter enhance the reputation of his company by gracing these fora with his considered observations.

    1. phuzz Silver badge

      Re: Is this Kerr a Reg commentard?

      I can think of a few commentators with a similar writing style, but my guess is that if he had an account there's no way he could stop himself from posting here.

  20. kend1

    Please stop

    Yes, he is an easy target. But I am worried that someone innocent may become his target. -KenD

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like