Databreach in Hikshop ?

  • Posts: 229
  • Thank you received: 7
  • Hikashop Business
3 months 3 weeks ago #305035

-- HikaShop version -- : 4.0.3
-- Joomla version -- : 3.9.4
-- PHP version -- : 7.15
-- Browser(s) name and version -- : ALL

To our big shock we saw with a google search order info, personal client info on a websearch.
We use Hikashop with no accounts, so people only order as guest.

But if you know the url (difficult) all those order pages are accesable by everyone.
But one page is indexed by Google. How is this possible? Both in English and in Dutch.

This message contains confidential information


Of course my client is shocked about this.
Can you explain what went wrong here and what should we do to make this absolutly impossible in the future.


I'll keep on trying!

Please Log in or Create an account to join the conversation.

  • Posts: 66214
  • Thank you received: 9709
  • MODERATOR
3 months 3 weeks ago #305038

Hi,

Note that this is the only result you see for your whole website.
This means that the link to that order what somewhat shared somewhere on the internet by someone with access to that order or the email.
If there really was a "databreach", then, these searches should give back all the orders of your website, not just one.
So it's not a databreach of HikaShop. It would be more likely a "databreach" of the email account of that customer (so even unrelated to your website) or more likely that the notification email to that customer with this link was shared by himself and ended up being indexed by Google for some reason.

If you want that to be absolutely impossible in the future, the only solution is to not allow customers to checkout as a guest. That way, the access to the order will only be possible if the customer who made the purchase is the one logged in trying to access it.
Or you can also customize the order page to not display (you can add a <?php return; ?> at the beginning of the view file for that, and then remove the link to the order page in the notification emails so customers cannot access their order page after the purchase.

The following user(s) said Thank You: gasoline

Please Log in or Create an account to join the conversation.

  • Posts: 229
  • Thank you received: 7
  • Hikashop Business
3 months 3 weeks ago #305055

nicolas wrote: Hi,

Note that this is the only result you see for your whole website.
This means that the link to that order what somewhat shared somewhere on the internet by someone with access to that order or the email.
If there really was a "databreach", then, these searches should give back all the orders of your website, not just one.
So it's not a databreach of HikaShop. It would be more likely a "databreach" of the email account of that customer (so even unrelated to your website) or more likely that the notification email to that customer with this link was shared by himself and ended up being indexed by Google for some reason.

If you want that to be absolutely impossible in the future, the only solution is to not allow customers to checkout as a guest. That way, the access to the order will only be possible if the customer who made the purchase is the one logged in trying to access it.
Or you can also customize the order page to not display (you can add a <?php return; ?> at the beginning of the view file for that, and then remove the link to the order page in the notification emails so customers cannot access their order page after the purchase.


Hi Nicolas,
Thanks for the explaination. I also saw only one result was displayed, so that is very perculiair. At least nice to hear it is not an Hikashop issue, but something else. I'll inform my client and see what we can do.

In the meantime is it possible to add a robots=nofollow to that page. Can you suggest which file to edit?


I'll keep on trying!
Last edit: 3 months 3 weeks ago by gasoline.

Please Log in or Create an account to join the conversation.

  • Posts: 66214
  • Thank you received: 9709
  • MODERATOR
3 months 2 weeks ago #305068

Hi,

You can add such code at the beginning of the "show" file of the view "order":

<?php
		if(!headers_sent())
			header('X-Robots-Tag: noindex');
?>
Also, you can request google to de-index that URL: support.google.com/webmasters/answer/1663419?hl=en

The following user(s) said Thank You: gasoline

Please Log in or Create an account to join the conversation.

Time to create page: 0.057 seconds
Powered by Kunena Forum