problem on Zoho Marketplace
Hi!
One week ago I wrote a message to support using "feedback" link. In that message I asked for an urgent solving of a problem on Zoho Marketplace. I did not receive any answer, probably my message was somehow missed by ZC support. But the problem seems to me a very serious one, and I want this post to be a as a warning for the developers who published application on Zoho Marketplace or intend to publish there.
What is about? I discovered that the Deluge script code of any application from Zoho Marketplace can be obtained by someone without asking to install the application, and no matter if the application is published with or without the source code, if it's free or not.
I'll not make public the way in which this can be accomplished (as any vulnerability reporting does not contain all technical details about the weakness of the software and the concrete ways which can be used to exploit the weakness ). I'll communicate this again to support if needed and possibly to ZC developers who already published paid applications if they mail me to my username (at) zoho.com - in case that they need to be very sure that what I said it's true.
Unfortunately, this makes that Zoho Marketplace to be not a real marketplace, and I am really surprised that ZC team ignored this.
My application on ZC Marketplace is a basic one, I will not remove it from Marketplace, but I have not intention to publish a another one in the future if the problem will not be solved.
I want only to warn Zoho Creator developers community that applications' publishing on the ZC Marketplace can mean an unintended exposure of the source code of the published applications.
I'm still waiting for an answer from ZC support.
George