search

facebookarchive / facebook-for-magento

A first-party extension plugin built for Magento. This plugin will install a pixel on your site, upload your products into a catalog for use in FB ads, and (optionally) auto-create an FB shop with your products.
https://www.facebook.com/business/help/532749253576163
84 stars 57 forks source link

Hackers are fishing/searching for your code on live servers. #7

Closed RogerKeulen closed 5 years ago

RogerKeulen commented 7 years ago

I get some requests at my servers for your code. Blocked-Ip: /facebookadstoolbox/productfeed/gen

Please make shure your code is save to use. Always install honeypot and check your logs.

dmitridr commented 7 years ago

Hello,

Thanks for your concern. We are not aware of any outstanding security issues, the newest version should be secure.

If you have the plugin installed, /facebookadstoolbox/productfeed/gen is a URL Facebook uses to trigger the feed regeneration mechanism (by default once a day) before fetching the feed file, so this endpoint will be queried from Facebook (more accurately genPing will be queried). It's true that this endpoint can be queried by others, but there is a cache preventing the feed from being regenerated too often to cause a DDoS. Details are in the code.

I can think of a couple of ways to secure this endpoint even further to prevent requests not originating from Facebook, if that is a concern.

dmitridr commented 5 years ago

Closing, we have had no reported security problems for over a year now with this plugin, so I don't think we need to go overboard with security enhancements at this time.