v1.12.3

Security Release

We discovered a vulnerability that affects shops built on Reaction Commerce that use the Reaction-Social plugin with Facebook and the Facebook App Secret configured.

Overview

This vulnerability has been present in every release that included the Reaction Social plugin. The App Secret is not used by Reaction Social and it’s unclear why the form for it was added to the application originally. It was introduced by a community contribution when the Reaction Social plugin was originally created. The App Secret should be removed from the Reaction Social panel. This will not have impact on the use of Facebook oAuth login which is set separately in the login services dashboard. If the same secret was used, it should be reset and a new token should be used for oAuth login via Facebook.

Vulnerability

Patches

Patches are attached to this release.

Patches will download as a .zip file named: reaction-security-patches-2018-11-19-security-social-plugin.zip which contains the following patch files once uncompressed. These files have the versions they are applicable for in the name of the file.

Two patch files for removing the UI dependent on software version
fb-app-secret-ui-v0.14.0-v1.13.2-2018-11-19.patch
fb-app-secret-ui-v1.14.0-v2.0.0-rc.6-2018-11-19.patch
Version specific migration patch file for removing the appSecret from the database
fb-app-secret-migration-v2.0.0-rc.6-2018-11-19.patch
fb-app-secret-migration-v1.17.0-2018-11-19.patch
fb-app-secret-migration-v1.16.0-2018-11-19.patch
fb-app-secret-migration-v1.15.0-2018-11-19.patch
fb-app-secret-migration-v1.14.0-2018-11-19.patch
fb-app-secret-migration-v1.13.0-2018-11-19.patch
fb-app-secret-migration-v1.12.0-2018-11-19.patch
fb-app-secret-migration-v1.11.0-2018-11-19.patch
fb-app-secret-migration-v1.10.0-2018-11-19.patch

Recommendations

Option 1: Install patched version of Reaction Commerce

If you're using a version of Reaction Commerce >= v1.10.0, please install the latest patch version and run the migration included.

Option 2: Patch it yourself

Remove Facebook App Secret from social plugin settings

Check the social settings operator panel. It can be accessed by clicking an icon (the "share-alt" icon) towards the bottom of the operator sidebar on the right of the screen

Inside of the social settings panel, you will see the settings page for Facebook - if you have an “App Secret” configured in this section, remove it.

If you prefer to do this with a migration, you can use the fb-app-secret-migration-v1.{your-version}.x-2018-11-19.patch migration patch that is appropriate for your version of Reaction. If you’re using an older version of Reaction and want to use a migration to unset the app secret, please contact security@reactioncommerce.com if you need assistance patching your version.

Patch Reaction Commerce

Apply patches to your version of Reaction Commerce. There are different patches for different versions of Reaction Commerce. These patches will remove the UI that permitted shop operators to add the Facebook App Secret to the social plugin panel.

v1.14.0 - latest
fb-app-secret-ui-v1.14.0-v2.0.0-rc.6-2018-11-19.patch

v0.14.0 - v1.13.2
fb-app-secret-ui-v0.14.0-v1.13.2-2018-11-19.patch

If you’re running a production shop on a version older than v0.14.0, please contact security@reactioncommerce.com for assistance in determining if patching the operator panel is necessary for your version.

Invalidate Existing Secrets

If you found a Facebook App Secret listed in your operator panel, you should invalidate it immediately from the Facebook App settings page.

Generate New Secrets

If you used this App Secret in any other applications or for Facebook oAuth login, you should generate and use a new secrets to continue to provide services to your customers. Do not add these secrets back into the social panel of Reaction Commerce.