Users of the e-commerce platform PrestaShop have reached out to Ecomony highlighting an article written by the site Weblind. The article in question puts PrestaShop's password security under scrutiny.
Even though PrestaShop hashes customers' passwords they are said to do a very poor job in the security department. The passwords are hashed using the outdated MD5-algorithm and are only hashed once, no iterations.
More troubling is the fact that the salt, the string that is supposed to make attacks using a Rainbow table impossible, is static. Static as in the same salt is used sitewide, not unique per password which is the right way to do it according to Weblind.
Passwords Almost in Clear Text
These choices is said to make a database of user passwords breakable within one day, for an experienced attacker. This vulnerability is also said to be present in all of PrestaShop's over 250 000 e-commerce stores.
Weblind does however state that you can never create something that is unbreakable. All passwords can be cracked. It is however the platform's job to make it hard and time consuming. Using the setup that PrestaShop uses for storing passwords is making it way too easy to break the customers' passwords.
- If a hacker can be able to get a large part of the website’s users passwords within a day, I’d say that is almost as bad as the website storing the passwords in clear text, writes Weblind.