Convoluted Offerings: Obfuscation and Magento Extensions

Share this post

At CommonPlaces, our primary shopping cart and e-commerce platform that we recommend and use for clients is Magento. One of the greatest things about Magento is the vast number of extensions available to users. Magento Connect offers a series of extensions from a variety of vendors that allow the user to customize and enhance their Magento Store. Here, I would like to point out a few observations that I have made from my experience using Magento. Hopefully, from this, developers and consumers in the Magento Connect marketplace can make better decisions regarding the creation and use of Magento extensions.

Code Obfuscation in Magento Connect MarketplaceRecently, I have had experiences with several commercial Magento Extensions whose authors have decided that using obfuscation techniques is a reasonable way to deliver source code. For those not familiar with code obfuscation, it is the process of making the normal source code very difficult or impossible for others to read and work with. For the most part, this technique has fallen out of practice, and for very good reasons.


From the seller’s perspective, code obfuscation techniques are great for promoting repeat business. Since the code is so hard for others to interpret and work with, the buyer is very likely to return to do more business with the seller. If the buyer wants to make repairs to the code in any way, he/she may find it necessary to go back to the seller for assistance. Similarly, if the buyer wants to make any customizations to the extension’s code, he/she may also need to employ the help of the seller to accomplish it.

This practice obviously has several downsides from the buyer’s perspective.

1. You cannot customize the software

2. You cannot make repairs

3.You cannot easily determine what it does

4. You cannot ensure the security of the extension

5. You cannot reason that it is not a backdoor

6. The code could be self updating

Even if you are not concerned about the first four above, number five should make you pause and ponder the situation. The fact that the code could be self updating should make you the most concerned. Even if you knew what the code would do today, it might react differently tomorrow or the next day. It is nearly impossible to establish that from reading the code alone. The image below is a winning entry in a code obfuscation contest. It serves as a good example of how difficult code obfuscation can be to decipher.

An actual winning entry for most creative use of code obfuscation

During the last year, I have encountered all 6 of these issues on behalf of clients seeking assistance with their existing web properties at one point or another. Of the issues I have mentioned, none of these are specific to Magento Extensions. But this marketplace does seem to be full of vendors who consider this a viable practice. To be clear, there are many, perhaps the majority, of venders who deliver normal code in their extensions. Still, encountering so many of the items above is a concerning reflection.

As a developer who uses Magento extensions very often, I offer a few suggestions to developers and consumers. If you are a developer of Magento Extensions, I strongly urge you to avoid this approach to source code delivery. While it has fallen out of practice, it can cause a great deal of frustration to consumers. As a consumer of Magento Extensions, I strongly recommend thinking twice before using extensions with this source code. Do some homework and evaluate the extensions before using them. Make sure the vendors with whom you are doing business provide you normal source code as a requirement of the transaction.

We all shoulder responsibility in providing secure e-commerce solutions, and this approach must be part of the consideration. If you have any questions about the e-commerce solutions, please feel free to contact the CommonPlaces team.

CTA Website Security Checklist

Related Posts

The Dilemma of Estimates

The Dilemma of Estimates

Estimates serve as the cornerstone of any website project, providing clients with a roadmap for budgeting, planning, and expectation management. They offer a glimpse into the intricate tapestry of tasks, timelines, and resources needed to bring a website to life.

Config Sync Overview

Config Sync Overview

When Drupal 8 was released, it came with Configuration Syncing functionality. This has been a staple ever since for Drupal 9, Drupal 10, and beyond. Configuration Syncing was a game changer and one of my favorite features in Drupal Core.The days before config sync...