Shop is down for the weekend as a precaution

Well.  This is an interesting situation.

I’ll preface the info below by saying that if you’ve ever purchased from the shop, your data is safe.

As it pertains to security issues in the IT community, there’s a thing called responsible disclosure and today it failed miserably thanks to a lack of communication.

Typically what happens is a software vulnerability is found, disclosed to the developer.  They fix it and release the update and after a couple of days, the vulnerability is shared with the public as a whole and hopefully by now, most people have already updated.  We all go on with our lives a little safer for this process.  This is supposed to allow things to get fixed before they’re exploited by “bad people”.

However, apparently nowhere in that process above is there a step for “well, we goobered that fix up really badly and have to withdraw it but that will leave a lot of people vulnerable when the public disclosure happens so let’s push the public disclosure down the way a bit.”

There’s a security issue with the software that I use for the shop.  It was disclosed to the developers and patched in the next version – a version that came out 4 days ago.  Today,  the public disclosure went out as it should have, since the patch was released 4 days ago.  Seems all good right?

What happened in the meantime wasn’t so good.  The software update was promptly withdrawn because a major bug was discovered that broke a lot of sites.  They pulled it back and committed to fixing and testing before re-releasing it.  The newest ETA for the next version that would fix this bug is January 15th.

Today though, Wordfence published the vulnerability information – based on there being an extant fix to apply.  This issue is now known and exploitable. The world now knows that ALL 5+ million websites that use this software are vulnerable.

I pulled the shop offline as a preventative measure only.  Once the disclosure happened and I saw that the patch had been withdrawn, I disabled the shop to make sure it couldn’t be compromised.

I will say again:  No data was lost.  No credit card information is ever kept on this site and any personal details are secure.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.