Pretty shocking error -All of your users could be operating illegally

  • This plugin explicitly states that it does not send information to your server, and instead sends directly to Stripe as prescribed in the stripe documentation – great. Except it doesn’t.
    This means most if not all of your 3000+ users are unwittingly violating PCI Compliance (assuming they are not already verified and accept card data in other forms).

    I inspected using chrome development tools and the following items are ‘named’, thus hit your server (whether they are stored or not is not important, you need to be PCI Compliant to even receive the information).

    The list of vulnerable data:
    1. name=”stripe-card-number”
    2. name=”stripe-card-expiry”
    3. name=”stripe-card-cvc”

    This is in direct contradiction to the Stripe docs that say DO NOT put a ‘name’ attribute on the html elements.
    You should check the docs here: https://stripe.com/docs/tutorials/forms – it uses ‘data-stripe’ attributes to prevent the form information from being submitted to your server.

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author syednazrulhassan

    (@nazrulhassanmca)

    Thanks for your Feedback you should check this post by me as well

    Most interesting is If your site is hacked by a hacker stripe.js is of no use a hacker can change the code on site itself specially on WP untill u keep your WP & plugins updated

    And practically if your site is using SSL certificate the Posted data regarding “stripe-card-numbe”, “stripe-card-expiry” , “stripe-card-cvc” will be encrypted and not intercepted by hacker.

    Paying $79/year for a woothemes plugin that does not work on many sites with very tedious support as said by other who reviewed the plugin have brought users to this plugin as this very plugin written by me uses PHP SDK version 1.8.10 for PHP 5.2 compatibility provided by stripe officially.

    We are working on PCI compliant version but problem is using stripe.js fails with multiple themes and couple of other plugins due to javascript conflict we are working on more better way to fix this up

    And finally my Desription states
    Uses Token method to charge Credit Cards rather sending sensitive card details to stripe directly as prescribed by Stripe.

    Which means i am sending tokens to stripe and i am not sending card details to stripe however coupled with SSL form data hit the server and sent to stripe via Official SDK by Stripe over SSL and token is created received by server and which is (token) sent back to stripe to charge the card

    Businesses have lost Hundreds of dollars getting stripe work and i have provided support till the issue has been fixed and i am not paid at all for this But i am helping and contributing community but i am not being helped by anyone still i am working on PCI compliant not releasing before Christmas as it might break others site so be sure to get PCI compliant by stripe.js in near future Creating something that works takes a lot of time ??

    I do have a version supporting Stored cards for future checkout that do practically works and tool a lot of time to make it bug free

    If Stripe wants it 100 PCI compliant they should get someone to write a plugin for woocommerce and offer for free which should work on most sites i am not making money from this plugin rather i am helping very small business to get started at least with minimum effort

    I appreciate if you get me some help on making it PCI compliant

    Thanks a lot for writing

    Thread Starter CImrie

    (@cimrie)

    Hi nazrulhassanmca,

    I apologise if it seemed like an attack on yourself – it was intended just to highlight the issue of PCI Compliance. I like many others value the time that people spend making plugins, and it is great that you contribute to the community.
    From my experience of integrating with Stripe (I don’t use WordPress often to be honest) stripe.js requires (or at least now requires?) SSL to be used. The token is then passed to the server (this is ok to have a ‘name’ attribute).

    The problem I had is that this plugin claims that it does not hit your server and yet it does, which means it isn’t PCI Compliant as you said – but many users starting small businesses etc will not be aware of these implications. I just wanted to highlight that if they want to use this plugin they will need to get tested for PCI compliance on their end (which involves checking their server security and work practices).

    I would recommend placing a disclaimer on your description saying that you would need to be PCI compliant to use it.
    I am pretty bogged down with my own development work at the moment but I will be happy to take a quick look through your plugin code to see if I can make any suggestions / quick fixes for this. Will get back to you if so ??

    Thread Starter CImrie

    (@cimrie)

    Hi nazrulhassanmca,

    I have taken a look at your code and redone a portion of it to make it PCI compliant (now using my version in my online store).
    I would be happy to share the new code to you if you are willing to credit the PCI compliance to me?

    Is there a place I can email you / private message to discuss this?

    Thread Starter CImrie

    (@cimrie)

    Hi naxrulhassanmca

    As you likely know someone posted asking what the progress on this was (I can’t see it on here just now strangely).
    Did you get my email a couple of weeks ago with the updated code?

    Any new info on all this? I am going to be needing a stripe plugin for WC but am very concerned after reading this.

    Will the updated PCI compliant code be added soon?

    Thanks!

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Pretty shocking error -All of your users could be operating illegally’ is closed to new replies.