Api Security Issue - Returning Highly Sensitive Data

I have recently posted in the security forum about the data returned via the API in response to a query on a specific order at order data level. I will simply post the link here for that thread:

http://forum.cs-cart.com/topic/46034-api-security/

Without repeating all that is said in ^^^ here are the fields transmitted that cause me a great deal of concern and should, I feel, be configurable / only enabled as an "option" via an API configurator in admin area:

    [payment_method] => Array
        (
            [payment_id] => 18
            [company_id] => 1
            [usergroup_ids] => 0
            [position] => 0
            [status] => A
            [template] => views/orders/components/payments/cc_outside.tpl
            [processor_id] => 1000
            [a_surcharge] => 0.000
            [p_surcharge] => 0.000
            [tax_ids] => Array
                (
                )
        [localization] => 
        [payment_category] => tab2
        
        /* IT IS THIS ARRAY THAT CAUSES ME THE MOST CONCERN! */
        
        [processor_params] => Array
            (
                [merchant_id] => [REDACTED!]
                [access_code] => [REDACTED!]
                [password] => [REDACTED!]
                [transaction_type] => SALE
                [currency] => 826
                [cv2_mandatory] => [REDACTED!]
                [country_mandatory] => [REDACTED!]
                [state_mandatory] => [REDACTED!]
                [city_mandatory] => [REDACTED!]
                [address_mandatory] => [REDACTED!]
                [postcode_mandatory] => [REDACTED!]
            )

        [payment] => [REDACTED!]
        [description] => Secured By [REDACTED!]
        [instructions] => 

We forwarded this information to our software engineers for examination.

I have recently posted in the security forum about the data returned via the API in response to a query on a specific order at order data level. I will simply post the link here for that thread:

http://forum.cs-cart.com/topic/46034-api-security/

Without repeating all that is said in ^^^ here are the fields transmitted that cause me a great deal of concern and should, I feel, be configurable / only enabled as an "option" via an API configurator in admin area:

    [payment_method] => Array
        (
            [payment_id] => 18
            [company_id] => 1
            [usergroup_ids] => 0
            [position] => 0
            [status] => A
            [template] => views/orders/components/payments/cc_outside.tpl
            [processor_id] => 1000
            [a_surcharge] => 0.000
            [p_surcharge] => 0.000
            [tax_ids] => Array
                (
                )
        [localization] => 
        [payment_category] => tab2
        
        /* IT IS THIS ARRAY THAT CAUSES ME THE MOST CONCERN! */
        
        [processor_params] => Array
            (
                [merchant_id] => [REDACTED!]
                [access_code] => [REDACTED!]
                [password] => [REDACTED!]
                [transaction_type] => SALE
                [currency] => 826
                [cv2_mandatory] => [REDACTED!]
                [country_mandatory] => [REDACTED!]
                [state_mandatory] => [REDACTED!]
                [city_mandatory] => [REDACTED!]
                [address_mandatory] => [REDACTED!]
                [postcode_mandatory] => [REDACTED!]
            )

        [payment] => [REDACTED!]
        [description] => Secured By [REDACTED!]
        [instructions] => 

Thank you... I look forward to the response.

Any update on this?

Ok - in the absence of any action / response - I have simply created a proxy to pull the data on the server and filter out what I don't want over the wire.

Dear Wilko,

This issue was confirmed as a bug. It will be fixed in one of the next CS-Cart versions.