Trojan in CS-Cart. Leaked invoices from 35,000 online stores

TL; DR: Developers of the second most popular (according to ratingruneta) online store have built a code into the engine that makes copies of all customer accounts to a server in Arizona.

Who suffered

Online stores and their clients working on CS-Cart of all versions.

The company itself claims 35,000 installations in 170 countries around the world.

What information is contained in the leak

• Full name of the online store buyer

  
  
  
  
  

• Buyer's address

  
  
  
  
  

• Buyer's phone number

  
  
  
  
  

• buyer's email

  
  
  
  
  

• Order amount, ordered goods and services

  
  
  
  
  

• Post Tracks

  
  
  
  
  

Details

CMS ( ) : https://www.cs-cart.ru/, https://www.cs-cart.com/.

4.12.2.SP2 (), PHP, , LAMP, .

, ./app/Tygh/Pdf.php , Pdf-:

<?php
...
protected static $url = 'http://converter.cart-services.com';
...
public static function render(...)
  {
  ...
  $response = Http::post(self::action('/pdf/render'), json_encode($params), array(
            'headers' => array(
                'Content-type: application/json',
                'Accept: application/pdf'
            ),
            'binary_transfer' => true,
            'write_to_file' => $file
        ));
...
protected static function action($action)
  {
    return self::$url . $action;
  }
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
    

json_encode($params)



, .. , Http::post(self::action('/pdf/render')



Http::post("https://converter.cart-services.com/pdf/render")



, (. ) Pdf, / .

converter.cart-services.com

(converter.cart-services.com), , 2018 (, , ), 2006 , .

, , :

- Resolving "converter.cart-services.com"... 1 IP address found: 184.95.47.28

┌PTR cs-cart.com

             ├ASN 20454 (SSASN2, US)

             ├ORG Servstra

             ├NET 184.95.32.0/19 (SERVSTRA)

             ├ABU -

             ├ROA ✓ UNKNOWN (no ROAs found)

             ├TYP  Proxy host   Hosting/DC

             ├GEO Phoenix, Arizona (US)

             └REP ✓ GOOD

- , 35 , , , , - , 15 .

The database accumulated over, presumably, 15 years is just a klondike for all sorts of criminals, not only are there personal data of tens of thousands (if not hundreds of thousands) of people, there is also information that allows us to assess their financial condition.

How this relates to the laws on personal data (GDPR, No. 152-FZ), I think, there is no need to explain.

Contacting the support forum, by the way, ends with the removal of topics and an open admission that this behavior will not change.