phrasespot Posted April 6, 2012 Share Posted April 6, 2012 Yesterday @RickieSee made a post with the subject 'Prestashop Sending Information Without Consent To Third Parties' and the following body Decided I'd keep a closer eye on the store for dev purposes..... Either this is sanctioned by Prestashop, or it's from the one free module I've ever downloaded from a (sneaky) active member on here. My money is on the latter. I replied asking for more details as I use, install on my clients' sites and distribute free modules available in these forums. The post was also replied by @Mike Kranzler, asking more details via PM. Now I cannot find this thread anywhere including my post/content history (though it is in Google's cache). I sincerely hope that I just did not look carefully enough rather than a post with an accusation as serious as this is being removed/made unavailable to members. Link to comment Share on other sites More sharing options...
Dh42 Posted April 6, 2012 Share Posted April 6, 2012 My firs thought was he deleted it. But going back to one of my posts I do not see that option. Link to comment Share on other sites More sharing options...
Mike Kranzler Posted April 6, 2012 Share Posted April 6, 2012 Hi phrasespot and designhaus, RickieSee and I agreed to remove the post while we looked into this for him, as it appeared to be due to an external module he downloaded, rather than something within PrestaShop's software. I do have a copy of the module and we are looking into it, but since it appears to be a product of an external developer we agreed that it was best to remove the post for the time being. Once we've resolved this, however, I will re-approve the post and explain what we found. -Mike Link to comment Share on other sites More sharing options...
Dh42 Posted April 6, 2012 Share Posted April 6, 2012 As a point of conjecture. Do any external modules connect to the developers site and a means of on-going authorization? I am guess that with the prestashop, shop modules that is not allowed? Link to comment Share on other sites More sharing options...
Mike Kranzler Posted April 6, 2012 Share Posted April 6, 2012 As a point of conjecture. Do any external modules connect to the developers site and a means of on-going authorization? I am guess that with the prestashop, shop modules that is not allowed? If they are submitted to us through the Addons store, this is absolutely grounds for rejection and something we will not stand for. However, if a developer posts their own module anywhere else for download, there is no way for us to put it through the entire authentication process to ensure that everything is appropriate in every single module. For that reason, any module downloaded outside of the Addons store should be considered "at your own risk," even if the vast majority of them are perfectly fine and offer fantastic new features or modifications. In this situation the accusation was leveled at an individual developer's module. For that reason, we determined that this was not the place for that discussion, even while we are actively working to resolve it. -Mike Link to comment Share on other sites More sharing options...
phrasespot Posted April 6, 2012 Author Share Posted April 6, 2012 This is actually the exact place of discussion as the module was released here and the OP may not be the only merchant using this module. Looking at whether the module does what it is alleged to be doing does not take longer than five minutes. If you are not able to determine that immediately then name the module so someone who can can look at it and if the accusation is correct, other users can take measures to protect themselves. Hiding posts and delaying this situation does not help anyone. Link to comment Share on other sites More sharing options...
Mike Kranzler Posted April 6, 2012 Share Posted April 6, 2012 This is actually the exact place of discussion as the module was released here and the OP may not be the only merchant using this module. Looking at whether the module does what it is alleged to be doing does not take longer than five minutes. If you are not able to determine that immediately then name the module so someone who can can look at it and if the accusation is correct, other users can take measures to protect themselves. Hiding posts and delaying this situation does not help anyone. Yes, but if it is not a product of a specific module, we could be hurting the business and reputation of an innocent developer. As you may have seen in the news recently, even Macs are becoming more and more vulnerable to trojans and other hacks (if you're a Mac user and you haven't done so already, please read this). We believe that it is important to do our due diligence before publicly accusing anyone, as there are too many potential variables to consider before we would feel comfortable doing so. -Mike Link to comment Share on other sites More sharing options...
phrasespot Posted April 6, 2012 Author Share Posted April 6, 2012 Of course due diligence is important, hence I asked you disclose what you found, not the name of the module. Whether the accusation is true or not . If you are not able to determine that immediately then name the module so someone who can can look at it You said you have a copy. It has been long enough (48 hrs) since the original post to determine whether it includes malicious code or not, it is not rocket science. Meanwhile all modules downloadable from the forums are suspect, and if the module is guilty as charged you are exposing other users of the module by delaying a response. And, there are too many potential variables to consider No, there is not. module comprise of a limited number of files that can incorporate malicious code. They either do or not. That is the only variable. Link to comment Share on other sites More sharing options...
Dh42 Posted April 6, 2012 Share Posted April 6, 2012 That is what I was worry about when I saw Mikes post. I have seen many a forum question about the module community being backed up and taking longer to approve the module's and get them on the site. I have only bought a couple modules from known developers, so I am probably not affected, but I can see the point of "hurry up". I would hate to have something happen to one of my clients sites, it would kill my insurance rates. Link to comment Share on other sites More sharing options...
Mike Kranzler Posted April 6, 2012 Share Posted April 6, 2012 At this point in time, our development team has not found anything malicious within the module. I have reached out personally to the developer to get more information as well, but if he does not respond within a reasonable time frame we will be forced to open it up to more scrutiny from the community. And as I mentioned above, this was NOT a module downloaded from our Addons store, nor is it available there at all. It was a free download that someone posted, and in the end, this so far has been an isolated accusation among what appears to have been a very popular module posted more than 6 months ago. It is for that reason that we are choosing to be careful in releasing this information. I currently have three separate developers looking at this, because we do take these sorts of accusations seriously and will act upon it immediately if they find anything. If a user accused one of your modules of containing some sort of malicious script, I would do the exact same thing, temporarily hiding the post, passing the module to our team and contacting you directly so that we can properly investigate this. If we find anything is amiss about this module, we will absolutely re-approve the post and spread the word among those who may have downloaded it. But if it is in fact nothing to do with this module, we would have been falsely accusing a member of our community. Again, I would handle an accusation against you or any other member of the community the exact same way. -Mike Link to comment Share on other sites More sharing options...
phrasespot Posted April 7, 2012 Author Share Posted April 7, 2012 I understand and really appreciate that you're trying to protect the developer. However it has been almost 72 with both PS and the other three developers you mentioned looking at the code. Do everyone really find it that difficult to determine whether there is malicious code in the module or not? We need a definitive answer without further delay if a module downloadable from these forums contains malicious code as anyone ever downloaded a module may be at risk.. Link to comment Share on other sites More sharing options...
Mike Kranzler Posted April 9, 2012 Share Posted April 9, 2012 Hi phrasespot, Three separate developers have found absolutely nothing wrong with this module. It appears that the code in question likely comes from some other source, and the timing was a mere coincidence. -Mike Link to comment Share on other sites More sharing options...
phrasespot Posted April 9, 2012 Author Share Posted April 9, 2012 Three separate developers have found absolutely nothing wrong with this module That is great to hear. IMHO, this incident is a very good example of why: a) one should be pretty sure before making an accusation in public that a module may contain malicious code. modules that are not distributed from PrestaShop add-ons do come from a trustworthy source. This latter point may go well with the existing best advice Thank you and thanks to three developers who examined the suspect module for their expertise, time and effort. Link to comment Share on other sites More sharing options...
Dh42 Posted April 9, 2012 Share Posted April 9, 2012 Because it is really grating on my nerves at this point I will say this: The PrestaShop add-ons has problems. I have had a module that has been stuck in the validating process since Saturday. I have called, emailed, posted to the forum. Its apparently still just sitting there not letting me download it. Link to comment Share on other sites More sharing options...
Mike Kranzler Posted April 9, 2012 Share Posted April 9, 2012 Hi DesignHaus, Is this a module you submitted, or a module you're purchasing? -Mike Link to comment Share on other sites More sharing options...
Mike Kranzler Posted April 9, 2012 Share Posted April 9, 2012 That is great to hear. IMHO, this incident is a very good example of why: a) one should be pretty sure before making an accusation in public that a module may contain malicious code. modules that are not distributed from PrestaShop add-ons do come from a trustworthy source. This latter point may go well with the existing best advice Thank you and thanks to three developers who examined the suspect module for their expertise, time and effort. Agreed, and I hope you now understand why I chose to remove the thread while we did our due diligence. -Mike Link to comment Share on other sites More sharing options...
Dh42 Posted April 9, 2012 Share Posted April 9, 2012 Purchasing... Link to comment Share on other sites More sharing options...
Mike Kranzler Posted April 9, 2012 Share Posted April 9, 2012 Purchasing... Usually, this is due to some of our internal checks we use to prevent fraud. Go ahead and email me with the details of your order, and I'll be sure to look into it for you. -Mike Link to comment Share on other sites More sharing options...
Mike Kranzler Posted April 10, 2012 Share Posted April 10, 2012 Hi DesignHaus, I emailed you about this as well, but your order was approved early this morning. The issue was due to a masked IP that set off our automated warnings, and thus slowed down the process a little bit. However, if you haven't already, you should now be able to download the module you purchased. -Mike Link to comment Share on other sites More sharing options...
Recommended Posts