How do I report a nefarious extension seller? Topic is solved

[TheINIC]

Details:

• I viewed a listing in the Joomla extensions and installed a "free" version of a extension.
• My client approved and I bought support so I could and did install the "Plus" version.
• I installed the + on 3 other clients sites (permitted to do so).
• The server host shut down 2 sites blaming the extension I had installed.
• I contacted the seller who informed me that "You did not pay for support".
• I provided the seller with a copy of the receipt to prove I did pay for support.
• Seller became irate and refuted their ware was the problem, and refused to view the log from the server, or even discuss it.
• I wrote a 'fair' review.
• Seller sent several insulating and scathing emails referring to the review to which I responded to calmly and professionally that it was just my opinion, that I did say it was good
• I stopped responding to his emails, and found that all installations were disabled by the seller.
• My review has disappeared - and not by me.
  
  There have been no responses from the seller.
  
  I cannot find a means of contacting Joomla to alert them of this kind of seller behaviour. I know Joomla released itself from responsibility of sellers and their wares; I understand and accept that but I'm sure Joomla would want to be notified of such things. Is the there a place to do this privately with the right Joomla department?
  
  i.

[AMurray]

What was the extension in question. What was the issue that caused the host to shut down your site? Was it a reputable extension developer? (well may be not any longer....?).

I will point out that a common thing with paid support is that may only be applicable for one installation of the extension - one a specific domain or site (even if you can install it on any number of sites, the support is only for one site). It may not be this way for you specifically.

As you were asking for the right place to ask this question, may I suggest the following, although it still may not be the absolute suitable forum, it is a step closer: extensions.joomla.org - Feedback/Information .

Otherwise, you could just wait and see if any relevant responses come through the General Questionsn forum.

[KianWilliam]

Could I see the site that the extension is still working in it? Also you said the host shutdown 2 sites of yours because of this extension, and what was the reason for blaming this extension? what are the urls of these 2 sites? I am not doubting your comments, I just want to collect data.
Name of the extension or developer's site is also necessary to develop a logic for the right judgement based on collected data.
Kian William

[toivo]

The server host shut down 2 sites blaming the extension I had installed.

Did the host give you the details what happened with the extension that caused the sites to be shut down?

The forum 'extensions.joomla.org - Feedback/Information' is not about individual extensions but about the extensions site, JED, at https://extensions.joomla.org. It deals with the approvals of JED listings and tickets raised by the developers, rather than commercial disputes.

You downloaded the extension from Joomla Extensions Directory (JED) at https://extensions.joomla.org. Therefore you can report the extension from its Report! tab, but read the guidelines first. Reports cannot be used for technical support or settling commercial disputes. However, if you have evidence that the JED listing is fraudulent, you should report it. If the extension cannot be installed in the latest version of Joomla without errors, it should also be reported.

[Webdongle]

I am confused. You say that the Host shut down two of the sites but the seller eventually stopped the extension from working on all 3 of the sites. How can the seller stop the the extension from working on the 3 sites when two of the sites had already been shut down ?

[anibal_sanchez]

Hi,

In the extension details page, you can find a button to Report! that you can use to report an extension.

The JED team will review the case and process it accordingly.

Best Regards

[TheINIC]

Could I see the site that the extension is still working in it? Also you said the host shutdown 2 sites of yours because of this extension, and what was the reason for blaming this extension? what are the urls of these 2 sites? I am not doubting your comments, I just want to collect data.
Name of the extension or developer's site is also necessary to develop a logic for the right judgement based on collected data.
Kian William

Hello Kian and thank you for your interest in my issue.

To answer your question, the 'host' involved claims that the script allowed hackers through that in turn used the extension to send spam. My client, ex-client now, received over 1200 bounce-backs.

How did they disable it? The buyer enters a key received after purchase into the extension once it is installed. In checking two sites, I discovered they were disabled and the "About" had a notice telling me it was not working any longer and I should contact the dev, which was already in progress.

Today, they have apparently been re-enabled. The Dev stated, (in email just now) that it was in error and everything should be working OK.

Hope I answered your questions Kian

i.

[TheINIC]

I am confused. You say that the Host shut down two of the sites but the seller eventually stopped the extension from working on all 3 of the sites. How can the seller stop the the extension from working on the 3 sites when two of the sites had already been shut down ?

It was on 5 sites. This is allowed.

i.

[TheINIC]

The server host shut down 2 sites blaming the extension I had installed.

Did the host give you the details what happened with the extension that caused the sites to be shut down?

.... <brevity>

You downloaded the extension from Joomla Extensions Directory (JED) at https://extensions.joomla.org. ...

Hello Toivo and welcome to my nightmare

I'm not sure how I dl'ed it. I know I found it in the Joomla Extensions arena and usually I will go to the site via Joomla to do an in-depth read of the extension. Via Joomla/extensions, I'll jump to and use the Devs site itself to get an idea of just how reliable their product is. A site is a reflection of the ability of the dev. Plus, there is more detail there.

I don't click the Devs extensions "Download" link in Joomla. I go to the devs site and get the finite details there. I drag&drop the Devs UL into a folder with others, and then narrow down my options by checking them out again, on their site, before purchase. A lengthy process of elimination.

Note, that when I do look on Joomla, which is where I normally start my journey, I only look for "Paid Download" - the term "free" usually suggests the Dev assumes that my clients and their visitors privacy is free. I do NOT allow stalkers, of any kind on my clients sites.

i.

BTW - MY first program was compiled on a 8bit with 8K RAM

[TheINIC]

What was the extension in question. What was the issue that caused the host to shut down your site? Was it a reputable extension developer? (well may be not any longer....?).

I think I best keep that private for now, except for the High Kahunas at Joomla/extensions department.

I will point out that a common thing with paid support is that may only be applicable for one installation of the extension - one a specific domain or site (even if you can install it on any number of sites, the support is only for one site). It may not be this way for you specifically.

You're very warm. The paid license is for updates within 30 days only, "no support", but may be used on any number of sites. And I was OK with that.

As you were asking for the right place to ask this question, may I suggest the following, although it still may not be the absolute suitable forum, it is a step closer: extensions.joomla.org - Feedback/Information .

Otherwise, you could just wait and see if any relevant responses come through the General Questionsn forum.

Thank you AMurray for your time and knowledge,

i.

[Webdongle]

...

• ...
• I installed the + on 3 other clients sites (permitted to do so).
  
  ...

That makes 4 not 5

...

• ...
• The server host shut down 2 sites blaming the extension I had installed.
• I contacted the seller who informed me that "You did not pay for support".
  ...

The Host server shut down 2 sites because the seller says you didn't pay for support? Did the sellers of the extension contact your Host?

[TheINIC]

...

• ...
• I installed the + on 3 other clients sites (permitted to do so).
  
  ...

That makes 4 not 5

TWO were shut down on ONE host. THREE on "other" host/sites. That's 5!
TWO were shut down by first hosts because they claimed that hackers used the Ext to send spam, not to Admin, but through the Ext (according to hosts).The others (3) simply stopped working.

All installed uses of the Ext I/we installed - everywhere (doesn't matter about that) stopped working. Each had a warning. That has been changed (a few minutes ago).

The Host server shut down 2 sites because the seller says you didn't pay for support? Did the sellers of the extension contact your Host?

No and no.
The host shut down 2 because, as was originally stated, hackers used the Exts to wheedle their way in to send spam. When I notified the Dev/seller, the answer was I had not paid for support. As previously mentioned, I then provided them with a receipt. Dev/seller assumed I was asking for support, which I did not pay for. I paid for 30 days of updates - which went south a few months ago. Seller/Dev has not, as AFAIK, contacted the host/s.

The Dev/seller has recently offered to look at the hosts logs surrounding the incident. Today, the Dev/seller responded to my query regarding the discovered disabled Exts and reported back that it was a error and corrected their issue which re-enabled the Exts. I spent my day off researching the issue and implemented some tweaks that I hope will reduce the hacks. Too, this was the second time two sites were struck through the same Ext and third for a separate host with same Ext.

I would like to add that things with Dev and I are quickly improving.

Yadda yadda stuff - - I always read the Joomlaites Ext reviews. I always check Devs web sites, and triple-check that any Ext has no call/link-backs, no Googleware, and I only install "free" as a test in a sandbox before buying the Ext. "Free" too often means our/client/visitor privacy has no value. I prefer to pay and, I know, the magicians misdirection points to buying Support and the Ext appears but I prefer to buy (whatever) for the use of the Ext. So I am pretty careful with the 'wares I buy on behalf of others. end yadda yadda

Now, I have more tweaking to do on this, my day off
i.
p.s. I don't always choose the 'wares, sometimes clients request it. Oh, and while Joomla is my personal favourite, I sometimes have to go slumming

[Webdongle]

The extension was not the source of the hack. The entry point to your server was made elsewhere and your login/database password etc. found ... the hackers then used that info to utilise the extension to work for them.

Because two of your sites were hacked there is a chance that your server and the other sites are compromised. I would suggest you set up a thread for the hacked sites and post the results of the fpa there. PM me a link to the new thread and I can give the thread a look for you.

[KianWilliam]

Extension's name?
Kian William

[Physicist]

Do you think that extension is vulnerable? Just put its name there, and if it is available on JED (and free), most of developers can check it quite easily.

PS. From your text it is not quite clear who exactly and in what way you are accusing.

[toivo]

Just reminding everyone about the forum rule: "This is not the place...to be a 'wall of shame'."

If an extension is vulnerable, it should be reported to the VEL team at https://vel.joomla.org, who will investigate. If an extension won't install without errors, it can be reported to the JED team at https://extensions.joomla.org.

[Webdongle]

I doubt the extension is vulnerable. The OP will not produce the fpa report. That would show the possible point of entry for the hacker.

[sozzled]

As far as I can tell, the original problem was the result of a misunderstanding or a mistake on the part of an extension developer who shall remain anonymous. Despite calls to "out" this developer or to name a specific product on the JED, this forum should never be used as a means of airing a private misunderstanding or commercial dispute between one customer and one merchant.

In other words, as @toivo neatly summed it up, this forum should not be turned into a "wall of shame".

Many Joomla extension developers do not even use the Joomla forum. I think it's grossly unfair to expect Joomla extension developers to be aware that complaints may be levelled against them here, on this Joomla forum, when those matters ought to be settled privately or, at the very least, via the support mechanisms that ought to exist at developers' websites.

Having written this, I am deeply disturbed by the ongoing suggestions (or outright allegations) of abuses within the JED review system.

• I wrote a 'fair' review [about this extension on the JED].
• My review has disappeared - and not by me.

I cannot begin to count the number of times I have read similar criticisms of the JED review process. What is even more disappointing is that I don't think I have read anyone, anywhere, write anything favourable about the JED review system! It's almost as if the JED team is completely oblivious to the problem.

As I have often written, it's a tough gig being a developer. It's a tough job designing an extension, building it, testing it, packaging it, updating it, supporting it. It's a tough job making sure that the product passes the JED Checker. It's a tough job bringing the extension to market—submitting the extension for listing on the JED—and waiting several days (or weeks) until the submission has been approved. It's a really tough ask hoping that someone might actually download the extension and write a review about it. Even bad reviews are better than no reviews at all!

So, while I'm sympathetic to people who use the JED to obtain software for their websites, spare a few thoughts for those of us who are developing those things and who rarely receive any reviews—good or bad—about what we've done!

[KianWilliam]

The reason I asked the extension's name is only to study it, I do not judge over poster or developer of extension, this is a new experience and I want to learn, the poster could give the name of extension in private so that I will analyze it step by step.
Kian William

[Webdongle]

As far as I can tell, the original problem was the result of a misunderstanding or a mistake on the part of an extension developer who shall remain anonymous. ...

As far as I can tell .... the site was hacked (by some entry point) then a mailing extension utilised to send spam. The Host shut down the sites then the OP thinks the problem is with the extension.

If the OP were to post the results of the fpa then we can see the weakness on his site(s). But there is fat chance of him doing that ... he has not logged in for 2 days and has a history of starting threads then not replying when he doesn't like the response.

[TheINIC]

As far as I can tell, the original problem was the result of a misunderstanding or a mistake on the part of an extension developer who shall remain anonymous. ...

As far as I can tell .... the site was hacked (by some entry point) then a mailing extension utilised to send spam. The Host shut down the sites then the OP thinks the problem is with the extension.

I never said I thought it was the extension. If you like, I will give you my phone number and I will read to you what my original post says.

If the OP were to post the results of the fpa then we can see the weakness on his site(s). But there is fat chance of him doing that ... he has not logged in for 2 days

There are a many reasons many would not post the -stuff- as fast and as soon as you require them to be. Correct me if I am wrong, but I see nothing in the rules here that indicate anyone has to post at a rate that pleases your agenda.

1. Unless you are a Time/Post/How-To cop, then please stop second guessing what I am doing, thinking, want, have done, or should do, or should make time for.
2. Some people take time out from work. I am one of them and it doesn't give you the right to Trump "2 days" into a wild and woolly exaggeration.
3. Some things, such as the Dev, Host, and I communicating together takes time and are not done at a pace to please your time table; which BTW, you never provided, - so, please be patient.
4. FYI - Talking about others behind their backs, or as a third person in front of them - is seen by many as rude, crude, childish, and unprofessional.

Back on topic:
The Dev explained that the reason we saw red coloured warnings to contact the Dev, and the add-on stopped functioning was due to a update on another of their wares that should not have affected the add-on in question, and was corrected by the Dev.

The Devs ware is functioning again.

I didn't and won't provide the Devs name or wares because it would be very wrong and as the now blind-sided topic shows, I ask HOW to report them to the proper Joomla authority - not here, not until the whole thing is hammered out to black and white. Unlike some, I do not wish to run off at the keyboard making wild accusations when it could be something else.

I trust my bite on the bait was fast enough for you,

Merry Christmas and a Happy and Prosperous New Year Webdongle.

plonk

i.

[TheINIC]

Do you think that extension is vulnerable? Just put its name there, and if it is available on JED (and free), most of developers can check it quite easily.

As stated in my post, it was my HOST, not I, that indicated the Ext is/was "vunerable" [sic].
(the Dev offers a "free" version but I bought the support version with it's added features.)

PS. From your text it is not quite clear who exactly and in what way you are accusing.

I asked how I report the Dev. Knowing that some would ask 'why', I quickly tossed in what I hoped was not too much info, but enough to explain a possible "why". I'll never do that again!

Hope Christmas brings you peace, joy, and a bundle of your wish lists answered in a wrapper that says free

i.

[TheINIC]

As far as I can tell, the original problem was the result of a misunderstanding....

I'm sorry you feel the way you do. There was NEVER any intended ill-will aimed at JED. Nadda!


i.
It is a lazy person who exercises by jumping - - - to conclusions.

[Webdongle]

If you post the results of the fpa then that will help clear things up.

[sozzled]

Thanks, @TheINIC. I think I understood the trials you went through and I respected the manner in which you went about asking your question. There were two main points that I took away from this topic:

1) How does one go about reporting to someone—some "authority", that is—that they've had a problem with a product listed on the JED given that the JED team are not invested with any power to resolve commercial disputes.

2) The JED review system should be able to contain fair and "accurate" reviews based on the experiences of people who obtain products listed on the JED and, in cases where those reviews are deleted, people who provide details of their experiences via the "system" should be entitled to an explanation of the reason(s) for the review being removed.

The first point is unanswerable, to a large extent. The JED is largely caveat emptor. The JED provides no guarantees that products will work or will work as expected or may result in unexpected, unforeseen problems for customers or merchants alike.

The second point ought to be answered. Deleted reviews are, perhaps, the most-discussed and most criticised aspects of the "system" and I have never seen an adequate explanation given for why the JED review system presents with as many difficulties as it does. Further, I don't think I have read anyone, anywhere, write anything favourable about the JED review system!

[TheINIC]

Just reminding everyone about the forum rule: "This is not the place...to be a 'wall of shame'."

Thanks Toivo for pointing that out. It's why I asked how and where I should deal with the issue - so as not to "shame", belittle, or accuse anyone until all the facts are in, and even then, just with those of Joomla authority here.

If an extension is vulnerable, it should be reported to the VEL team at https://vel.joomla.org, who will investigate. If an extension won't install without errors, it can be reported to the JED team at https://extensions.joomla.org.

WOW! A answer! Thank you so much Toivo for responding with a answer to the question.

(/SIDEBAR)
FYI Toivo - I do have a PM with Topic "Dodgy extension and dev via vel " and my suffering from *AAO, I wasn't sure what a "dev via vel" was - until now.
(SIDEBAR\)

The very best Christmas Season and New Year to you and yours Toivo,

i.
*AAO = Acute Acronym Overload

[Webdongle]

Again ... it is unlikely that the extension is vulnerable. The entry point of the hack is rarely the place that it is spotted.

In either case (whether the hack was via the extension or elsewhere) you would be well advised to treat the server as compromised. viewtopic.php?f=714&t=757645

[sozzled]

@Webdongle: please leave this alone. No-one has any evidence of hacking. The website(s) involved in this case were shutdown through the actions of the webhosting provider; as I understand it, the situation has been resolved.

This topic was posted in the "JED Feedback" forum category. If it had been posted in the "Extensions for J! 3.x" or the "Security - J! 3.x" forum category then I can understand your line of enquiry. As this topic was simply a request for information about how to deal with a situation involving a dispute between a customer, an extension developer and the customer's webhosting provider—and the dispute has been resolved—then I think that's where we can probably leave the matter.

The website(s) involved in the matter may or may not be "compromised" but that's not really our concern. You've made your point; I don't think it's necessary to repeat it.

[Webdongle]

@Webdongle: please leave this alone. ...

If you want me to stop participating in this thread report me to the moderators.

...

The website(s) involved in the matter may or may not be "compromised" but that's not really our concern. You've made your point; I don't think it's necessary to repeat it.

site hacked 01.JPG

It would be negligent of us not to inform that the site needs to be cleaned. Not just to the OP ... but also because newbies (who read this thread) might think reporting an extension is enough to eradicate a hack.

[mandville]

Moderator comment.
Topic locked to prevent degradation.