Update Nov 23rd: Webgility has released a patch and a public statement, urging all customers to upgrade to version 345.
Update Nov 30th: Webgility has discovered another security issue and urges all customers to upgrade to version 346.
When an accounting software firm proclaims to do epic shit, you know they are up to no good. The VC-funded Webgility software contains a backdoor for the purpose of remote upgrades. As a side effect, this allows anyone to upload PHP code and do all kinds of naughty stuff. Curiously, the Webgility engineering team denies the existence of the backdoor, even when confronted with a functional proof of concept and a demonstration video.
Because of the severity, I recommend Webgility customers to restrict access to trusted IPs or temporarily remove the software until there is a fix.
The backdoor was discovered by Eric Seastrand as part of a PCI code audit. He reported the security flaw on Oct 16th to Webgility, together with an extensive explanation, sample code and a demo video. Then, he got this odd response:
Our engineers further reviewed your E-mail and we would like to inform you that, this file can’t execute automatically or through a Web Browser […] we request you kindly do not test or trial anything in Webgility module folder
Eric answered patiently and explained once again how the unauthorized update mechanism poses a serious security threat. Webgility thanked him for the suggestion and closed the ticket without further ado.
I also gave it a couple of tries to explain the situation, but they would have none of it.
Just to be sure: I have validated Eric’s proof of concept exploit code on my live store. Because of the intense efforts that criminals are undertaking to find vulnerabilities in 3rd party ecommerce software, it won’t be long before this flaw will be massively exploited to turn the thousands of Webgility customers into card skimming zombie stores.
Hopefully this post will get Webgility to release a fixed version. If not, better to stay far from its software.