Better store invoice protection

We're shifting our Forum based support to a more dedicated support system!

We'll be closing our Forum support from 10th June, 2020 and move to Email Support assistance.

  • If you are a WCFM premium add-ons user, contact us- here
  • Want to know more before buying our add-ons? Send Pre sale queries- here
  • If you are a WCFM free user, please open a support ticket at WordPress.org
  • For WCFM App related queries, reach us- here
From now the forum will be read-only!

Viewing 11 reply threads
  • Author
    Posts
    • #54685
      shitT
      Participant

      The store invoices are stored on an upload folder, which everyone can access with the appropriate URL. As the URLs of the stores are similar, it is very easy for a store owner to find the URL of the other stores and check into their invoices…

      Would it be possible to protect these files better, or generate them every time, like the packing slip or the commission-invoice instead of saving them on disc?

    • #54936
      WCFM Forum
      Member

      Hi,

      As the URLs of the stores are similar, it is very easy for a store owner to find the URL of the other stores and check into their invoices…

      – Well, store Invoice are generated using store invoice prefix and number, now it’s difficult to guess.

      This URLs are open because customer has access to this from their emails.

      Still, we will look into this!

      Thank You

    • #56014
      shitT
      Participant

      Hello

      Thanks for your answer. I guess you know that security by obscurity is false security. So even if the name is not very easy to guess for an outsider, it can be guessed or found using brute force. And the customer has these informations, so he could very easily browse invoices of other customers.

      I propose that you handle the store invoice like packing-slip or commission invoice. They are attachment to the mail.

      Thank you.

    • #56168
      WCFM Forum
      Member

      Hi,

      Well, Store Invoice send to customer as Email Attachment. Custom can not see any “Real URL” there.

      Are you getting Store Invoice URL in email?

      Thank You

    • #57206
      shitT
      Participant

      Hi

      You’re right. The customer gets the invoice as attachment. But the vendor has the information on the link and could browse invoices of other vendors by deduction.

      Thanks for looking into this!

    • #57321
      WCFM Forum
      Member

      Hi,

      But the vendor has the information on the link and could browse invoices of other vendors by deduction.

      – How? Vendors are allowed to define own invoice numbers, and invoice generated using this number. Now, how a vendor able to guess/assume another vendor’s invoice number.

      Thank You

    • #57850
      shitT
      Participant

      So you’re telling me the invoice number constitutes a guarantee for confidentiality, right?

      PS: Since your last update of WCFM-U, the customer gets the URL Link under “my Account”, so your claim from 4th April (“Well, Store Invoice send to customer as Email Attachment. Custom can not see any “Real URL” there.”) is no longer true. Agree?

    • #58065
      WCFM Forum
      Member

      HI,

      Yeah right, in latest update we have added “Store Invoice” download option under My Account -> Orders

      But, we have changed Store Invoice URL, place an new order and check it’s Store Invoice URL.

      Now, it’s impossible to guess/assume other vendors invoice folder.

      Thank You

    • #58110
      shitT
      Participant

      Try this:
      Customer 1 orders from vendor a. His invoice URL is https://<website>/content/uploads/wcfm/vendor_invoice/<vendor_a_code>/2019/04/Invoice-000001.pdf
      Customer 2 orders from vendor a. His invoice URL is https://<website>/content/uploads/wcfm/vendor_invoice/<vendor_a_code>/2019/04/Invoice-000002.pdf

      -> Customer 2 changes the number of invoice from 2 to 1, and sees invoice of customer 1!
      -> Customer 1 changes the number of invoice from 1 to 2, and sees invoice of customer 2!
      -> Vendor b orders once from vendor a, and gets the <vendor_code> of vendor a.

      I demonstrated that it is very easy to find out other vendors invoice folders. Agree?

      If you can solve this problem, you’ve got a great plugin. If not, confidentiality is not guaranteed by your plug-in. I believe that, for any responsible marketplace owner, it should be a no-go to go live with your plug-in. I would strongly recommend you to escalate the issue internally.

    • #58455
      WCFM Forum
      Member
    • #59013
      shitT
      Participant

      Hi, thanks a lot for fixing this! The order code looks safe to me:)

    • #59131
      WCFM Forum
      Member

      Great .. you are welcome 🙂

Viewing 11 reply threads
  • The topic ‘Better store invoice protection’ is closed to new replies.