- This topic has 10 replies, 3 voices, and was last updated 3 months, 4 weeks ago by Tom.
April 9, 2022 at 8:53 am #2183252Jakub
Dear GeneratePress Team,
I would like to know why is license key easily accessible for every installation via “inspect element”.
And even if you try to deactivate the misusing websites, the key itself is still within the website’s database and reactivates itself.
This is, in my opinion, huge vulnerability hole that very heavily influences the privacy of our license keys.
It’s also unfair to your customers since this introduces the circumstances to violate the license that are completely beyond our control.
It’s not very hard to imagine the scenario, when the license keys just leak out somewhere they shouldn’t,
even without the license holder’s knowledge nor consent.
I hope your team, as developers, is going to address this issue quickly.April 9, 2022 at 7:08 pm #2183491TomLead DeveloperLead Developer
We are aware of this and we’ll be implementing better encryption in the next GPP version.
Of course, the best way to protect your license key is to remove it from any sites you’ll be handing off to other people. Even with encryption people will be able to decrypt it if they really want to (but it will be harder than now, for sure).
Thanks!April 9, 2022 at 8:22 pm #2183516Jakub
Thanks so much for your reply!
You know, I’m really happy that you are aware of the problem and planning to fix it in the upcoming release of the plugin but that doesn’t change the fact that, as for today, your policy leaves us – your costomers, completely unprotected. According to the license, you’re putting on our shoulders all the responsibility to protect our licenses. At the same time, we can never be sure where our keys really go because the plugin that you provide has a huge security flaw.
This is a very unequal situation when the end customer is at risk of loss (not even knowing about it) and cannot really protect themselves from it.
I really love your work, your theme is awesome but as your customer, I would like to see the ToS to protect us from such incidents.April 9, 2022 at 8:31 pm #2183518Jakub
Thus is a critical problem. GeneratePress is one of the biggest and popular WordPress theme, recommended by lots of authorities within the industry. I’m not even trying to guess how many licenses have been revoked just because they “leaked out” somewhere they shouldn’t have.April 10, 2022 at 7:11 pm #2184454TomLead DeveloperLead Developer
I’m not sure I’m fully understanding. The license key area is only available to administrators. Your license key can only “leak” to administrators of the sites you add the key to. Even if the key was encrypted (like your passwords), administrators can access the database and decrypt the key (just like they can with passwords).
Just to be clear – your license key is only visible to administrators on your website. It is not visible to anyone else. There is no critical vulnerability here, it’s simply a matter of increasing the security of the license key so even administrators have to work a little harder to grab the encrypted version from the database and decrypt it.
If you don’t want your license key to be visible to administrators on the sites you build, the best thing you can do is not add it. This goes for any sort of private data – if you add it to the database, administrators of that site will be able to access it.
If you feel that there is a vulnerability where non-administrators can access the license key, please report the issue privately: https://generatepress.com/contact
Thanks!April 11, 2022 at 7:29 am #2184942Jakub
Yes, this key is visible for all website that I install it on. It means, that if I do projects for 50 websites for example, these 50 administratos have an access to my key and they can use it and spread it freely. In the worst scenario, spread on the internet or in the best case scenario just use additional use the key for free installations in the future.
To assume that this thing won’t ever happen is very wishful and naive thinking.
Let’s think about the scenario, when one of the owners that I have installed the GeneratePress Premium on, have bad intentions and spread the license over the web. Now, dozens of websites are starting to be activated under my license, which I legally purchase.
Will I receive a notification? No, because you don’t have such a system.
Can I cut off those additional websites that misuse my license without my consent?
No, even if I cut them off with my GPP dashboard the key is still in website database and reactivates itself.
Am I breaking the licensing rules? According to your policy yes, because according the ToS:
Where the license package allows the software to be used on multiple sites the customer/license-holder may not redistribute the originally-purchased license key provided by EDGE22 Studios LTD, to other users of the license (such as clients) for commercial benefit. Additionally, the customer may not sublicense, to any person or entity, any rights to distribute the software or license key.”
In other words, once we install our license on a third-party websites, we have in fact zero control over its further distribution. Your policy doesn’t really respect that fact and doesn’t really protect our licenses from being compromised that way.
We are in theory provided with an option to deactivate sites from our GeneratePress customer dashboard but I said earlier, it doesn’t do much to be honest.April 11, 2022 at 7:41 am #2184951DavidStaffCustomer Support
just to re-iterate what Tom said, your license key is only exposed if a) you give Administrator rights to a user, and b) they have the know how to retrieve the key. For point b) we will be making that more difficult in future updates.
If the user DOES NOT have admin access then the key is not exposed.
If you do not think this is the case or you have information that demonstrates that non Admin users can access the key then please report it privately via this contact form:
https://generatepress.com/contactApril 11, 2022 at 8:13 am #2185190Jakub
I do wordpress website design services to personal bloggers who in most cases are the website owners and the administrators of their own websites.
I get into the the websites, design them, tweak them and leave. That’s my job. There is literally nothing stopping them from using that license further.April 11, 2022 at 7:56 pm #2185743TomLead DeveloperLead Developer
Our update will at least improve the security of the license keys in this case. However, site administrators will always have access to the data saved in their database, regardless of encryption. If you want to keep your license key 100% safe, it’s best to remove it from the site before handing it off to the client. Then they can purchase their own key (or you can purchase one for them using your affiliate link).
Thanks!April 12, 2022 at 1:26 am #2185940Jakub
Can you please get any hints on when this update is going to be released?April 12, 2022 at 5:54 pm #2186928TomLead DeveloperLead Developer
- You must be logged in to reply to this topic.