Critical Zen Cart Vulnerability Could Spell Black Friday Disaster For Shoppers
2015-Nov-25 19:54
… Today security firm High-Tech Bridge has issued a warning to retailers and shoppers about a critical vulnerability in the popular Zen Cart shopping management system.
… which could allow remote attackers to infiltrate web servers and gain access to customer data.
Servers running Zen Cart are also at risk of malware, meaning that hundreds of thousands of ecommerce sites pose a potential danger.
Technical details of the vulnerability are not yet being made public, but having notified Zen Cart of the issue High-Tech Bridge says the date of full public disclosure is 16 December.
All I can say is look for it. I’ve seen it identified as the provider of shopping cart pages in the fine print at the bottom of some pages.
I see it show up when I use “Inspect Element” in Firefox sometimes.
I see “Allow all from Zen-Cart.com” listed in NoScript as a normally blocked* source needing permission to run on some shopping cart pages.
normally blocked because I normally block most things and give one-time temporary permissions when I feel like doing that.
If you take what I’d think of as ordinary precautions
— don’t use the same email address at more than one shopping site, use throwaway email addresses unique to each (catches sites that spam/sell lists/got hacked by collectors)
— don’t use the same password at more than one site
— don’t leave a credit card number, date, code, name etc. on sites for autofill
— don’t keep a huge amount of money in a PayPal balance or bank account linked to PayPal
then, eh, there’ s not so much there to be stolen, I guess.
And of course mistrust any site that sends you clickable links in email