Today (Feb 12, 2020) we have been notified about a potential security issue in our Magento 2 Login as Customer Extension thanks to Daniel Sloof's tweet.
Reviewing the code and communicating with Derrick Heesbeen, Lewis Voncken from experius.nl there was found the security issue.
Note that, no confirmed attacks related to this issue have occurred to date, however, malicious actors potentially were able to login to a customer account in a tiny timeframe after the admin user pressed the "Login As a Customer" button in the admin panel and before admin user was redirected to the storefront and actually logged in.
Timing is really important to reproduce this issue. The security issue may occur on all Login as Customer versions until v2.2.3 during just a few seconds after the pressing of the "Login As a Customer" button.
We encourage everyone who uses Login As Customer extension v2.0.0 - v2.2.2 to update the extension at least to v2.2.3 or apply this quick fix.
At Magefan we always pay attention to the Magento 2 extensions security, do our best to prevent any security issues and take steps to fix them in hours if any was reported.
We want to express our gratitude and say thank you to:
- Daniel Sloof
- Derrick Heesbeen
- Lewis Voncken