Three weeks ago, on 16th February 2019, a security vulnerability in our Abandoned Cart Lite plugin was reported by a customer via our ticketing system. The vulnerability was also present in our Abandoned Cart Pro plugin.
Within 48 hours, we had applied a patch and released updates for both the plugins, on February 18th and February 19th respectively.
The customer who reported the issue, too confirmed that the updated version fixed the issue. At the onset, I want to personally apologise for the lapse and the inconvenience caused and promise to help you every step of the way, give you support, advise and more.
This is what happened. Stay with me a few minutes to give you an answer as to why it happened, and also what we learned from it.
What was the vulnerability?
The vulnerability allowed the hacker to create users on sites that are using the Abandoned Cart Lite plugin. The person who reported this issue was a customer using the plugin. She let us know the exact username & the email address of the user that was being created.
Based on that information, we were able to determine the cause of the vulnerability & how the hacker was exploiting it to create users on the sites. As I mentioned before, we applied the patch and released an update on February 18th for the Abandoned Cart Lite plugin and on 19th February 2019 for the Abandoned Cart Pro plugin.
Both the Lite and the Pro version releases, released 48 hours after being reported, were tagged as a “security release”.
This happened due to a very basic data sanitization check that should have been in the plugin. It’s definitely a rookie mistake, and we are not proud of it. All we say is that we are human, and we are very sorry and promise that this will not happen again.
At this stage, over 42% of our customers have updated to the latest version of the plugin. The customer who reported also confirmed that the latest release does fix the issue.
However, there are still many sites that are vulnerable. We are not only taking all efforts to reach out to the customers (we don’t have everyone’s emails), but also using our other plugins to display notices to customers if we find that they haven’t yet updated to the latest versions of the Abandoned Cart plugins.
We have also made sure to scan our plugin for any other security vulnerabilities and none were found.
You may have noticed about the vulnerability on other sites which posted it recently.
Mistakes we made
This was the first time (and most definitely the last) we have had to deal with such a situation.. So we quietly released a security update and started informing our customers about the same.
We are purposely withholding details about how the vulnerability worked. We would be happy to let you know via email incase you want to know more about it and if you are using the plugin.
This has happened to the best of us, from new developers to giants like Google. It doesn’t justify our lapse. We acknowledge it, take responsibility for it and are willing to support you against the repercussions that the vulnerability may have caused.
We Are Sorry
On behalf of the whole Tyche team, we are truly sorry for the inconvenience and we are here to offer support, advise, or any other help related to the issue. For our new customers, this is not the first impression we hoped to create for you.
Do understand that for us, security is of top priority. We strive hard to ensure that our customers can fully trust the plugin, and this incident has only led to a redoubling of efforts. We will work harder. We promise.
We are looking forward now, having learned from this difficult but valuable lesson. I invite you to see what our full lineup of plugins has to offer.