Passwords stored in the clear

  • Using PayPal Payments Pro 2.0 (PayFlow). We just noticed that the paypal password is stored in the clear.

    select option_value From wp_options where option_name = ‘woocommerce_paypal_pro_payflow_settings’;

    Why? This just seems like plain bad practice, especially when it comes to working with financial institutions. Maybe this is something PayPal requires? Are there any plans to encrypt these passwords or perhaps use OAuth instead of traditional passwords for authenticating to paypal?

Viewing 1 replies (of 1 total)
  • Plugin Contributor angelleye

    (@angelleye)

    The credentials need to be available for inclusion in the API requests send to PayPal/PayFlow. As long as your database is secure there shouldn’t be any problem here.

    That said, we’ll look into encrypting the value that gets stored in the database as I do agree the storage method could be improved upon.

    I’ve added this to our GitHub repo for the 1.4.0 release. Thanks for the feedback!

Viewing 1 replies (of 1 total)
  • The topic ‘Passwords stored in the clear’ is closed to new replies.