User phone numbers not secure

Currently, in Cs-cart 4.15.1 one logged-in user can change their phone number to that of another user and the number would be successfully added. For example, on the contact and shipping pages, one can use a number that another cs-cart user has already registered.
For shipping purposes perhaps this wouldn’t be a high-risk problem, for profile contact information, this is a serious issue.

Why is cs-cart not building verification features for numbers a customer tries to link to their profile?


Since CS-Cart itself is relying on email to determine the specific customer, there are several third party solutions at the Marketplace, that change this behavior to be based on phone number instead of email:

I hope it will help you.


Thanks for the reply. I will give those suggested apps a look and see if they help. Usually, I am not fond of third-party add-ons because some of them tend to be unreliable and easily break or are poorly maintained.

I hope in the future Cs-cart will build this in their updates.



Please have a look our addon too eCommerce needs :: Optimize conversion :: Login and registration by SMS / OTP code

We have ability to confirm phone number in profile and many SMS gateways.


I’ll chime in and give one extra reason for this approach: it allows for a quicker launch of an online store or marketplace.

Email messages are usually free: CS-Cart can send them though a PHP function (probably without any configuration, depending on your server), or using a free SMTP server like Google’s (with very little configuration).

If CS-Cart had relied on something else, like SMS or messengers, it would’ve required a provider for these services. Those are often paid, require configuration, might not work for some numbers, and there may be other concerns: privacy, data sharing, etc. :man_shrugging:

We’re always considering things like this. For example, the Notification Center (see “Administration > Notifications”) was intended as the groundwork and a single hub for various means of contacting customers. Currently, it has in-app and email notifications by default.


Based on your input it makes a lot of sense. And I totally agree that SMS would require a lot more of work and expense.
I think Cs-cart can at least build that feature and add some more popular service providers in it and then leave it for the cart owner to sign up to those paid services and use the feature if they want.
Just like what Cs-cart did with the built-in SMS notification for order department. They built the feature and put in Clickatell which is a paid service. I love the feature even though the reason I don’t use it is because Cs-cart put in Clickatell as an only option. I use Twilio and not Clickatell.
So I ended up buying an SMS notification add-on from RetailFactory and the app works great and has a lot of different service providers inside including Twilio and Clickatell.

In summary what I’m saying is, it’s better to have an important feature even if it costs money to use for the store owner, rather than not having it at all. Because some store owners don’t mind paying money for such important services that improve user experience.

And this is just the time, when our partners come in, offering ready made solutions for such cases :slight_smile: