So a while ago I was looking around at some open-source shopping cart applications for a potential client. The guy never got back to me but I played around with the software anyway.
The app in question is called OpenCart and is pretty nice at a casual glance. Has a lot of features a potential seller would want, including a simple interface, sales statistics, multiple currencies, and coupons/discounts.
I would like to focus on this last category. By default you have three coupons to choose from: $10 off, 10% off, and free shipping. Also by default, these coupons have checkout codes of 1111, 2222, and 3333 respectively. The most surprising thing is that, still by default, these coupons are enabled.
Take a minute and think about that. By default, this app is configured to allow you to lose money.
It’s not that hard to discover this flaw, either. Anyone who downloads this app and has a brain in their skull can see that these coupons are present and enabled on a clean install. It doesn’t take a tremendous leap from there to get to exploitation. Why is this allowed?
Being the responsible person I am, I reported this to the developers via their site’s “report a bug” form with the following:
OpenCart comes default with three discounts, all enabled:
10% off – expires 01/01/2012 – Code 2222
$10 off – expires 01/11/2020 – Code 1111
Free Shipping – [expired]
If a vendor sets up an OpenCart installation and does not realize there are default discounts, anyone can come along and apply the coupons. They are trivial to discover just by downloading OpenCart and setting it up. I just tested this myself on v220.127.116.11 and it works.
Please email me back when you receive this.
Now before you say it, I did forget to mention in my message that only the $10 off and 10% off coupons would work (I wrote to them on December 8, 2011 right after I found this). By now, being past Jan 1, 2012, only the $10 off coupon will work.
Minor details, moving on.
So let’s say someone used this trick now. $10 might not seem like a ton of money, but to someone selling $15 items it’s quite a chunk. Regardless of the amount lost, this is still not something that should be enabled by default. That said, I’ll show you the reply I got:
its so the user can test this function when they set it up.
theres not much I can do if a none developer installs opencart and leaves this in.
I get the first part from a usability standpoint, but the second part is simply not acceptable. First off, you don’t write software like this for developers. You write it for users of all skill levels. A statement like that makes sense for some obscure linux kernel feature but not for an application that will be used by many people to make a profit. Second, there actually is something you can do about it, and I showed them in my reply:
I can’t help but feel that’s an irresponsible point of view for a developer to take. It would make more sense to have them disabled by default and give a notice, or even a short “Read This First” during the install process that explains the situation.
Not everyone who will be using this is going to be a developer, true. We can’t help that. But that doesn’t mean they won’t hire someone who is inexperienced to set it up for them. Having the user suffer monetary loss when the fix is so simple just isn’t acceptable.
I really would consider changing the default status of the discounts to “Disabled”, especially when a 10% off coupon could mean hundreds of dollars on a high-price item.
Bear in mind this was written when the 10% off was still valid, and I completely neglected to mention the possibility of a non-developer installing this. Another thing you don’t see here is the patch I wrote which was as simple as changing three 1s to 0s to disable the coupons by default. That was sent in another “contact us” submission, hence my not having a copy to share here.
I did not get a further response. This all took place in one night exactly a month ago (to the hour, even), so I don’t feel bad about posting this. Responsible disclosure and all that.
So to summarize:
*An OpenCart developer knowingly left a feature enabled that could hurt users
*After offering a simple patch, he still declined to apply it
*The logic behind his decision makes no sense at all
I’d like to end with a deep philosophical statement about the state of mind some developers have and how times have changed and how this will surely mean the end of open source as we know it, but I can’t think of one right now so I’m gonna go have some wine and baklava.