Ghost Architect is a codebase triage tool. The best way to demonstrate what it actually does is to show it working on real code. So we pointed it at a real, publicly available production extension — the Meta for Magento 2 Business Extension — and ran a full scan.
658 files. 18 findings. Under 10 minutes. $0.23 in API costs.
Here's exactly what we found, why it matters, and what it tells you about what might be hiding in your own codebase.
Why the Meta Extension?
We chose the Meta for Magento 2 Business Extension specifically because it's publicly available, widely deployed across Magento stores, and represents the kind of third-party integration that agencies install on behalf of clients and often never revisit. It handles Facebook Pixel events, Conversion API calls, product catalog syncing, and ad attribution — which means it sits at the intersection of your storefront code, your customer data, and your advertising spend.
Extensions like this are ideal candidates for a triage pass precisely because they're trusted by default. They came from a recognized vendor, they passed a quick install check, and then they ran in the background for months or years while the team focused on other things. Trusted-by-default is where the interesting findings live.
We notified Meta's security team at security@fb.com before publishing any of these findings publicly.
The Findings: A Full Walkthrough
Ghost Architect returned 18 findings across the severity spectrum. We'll walk through the most significant ones in detail. The full 7-page PDF report is available for download on the Ghost Architect homepage.
Meta OAuth access tokens are stored in window.facebookBusinessExtensionConfig — a JavaScript object rendered directly into the page DOM and readable by any browser extension, third-party script, or XSS payload with access to the window object.
In practical terms, this means that any cross-site scripting vulnerability anywhere on the page — in the theme, in another extension, in a user-generated content field — can be leveraged to exfiltrate a live OAuth token with full Facebook Business account access. No additional exploitation is required. The token is sitting in the window object.
The correct pattern here is to keep OAuth tokens server-side and expose only non-sensitive configuration to the client. This is a well-documented security practice that the extension does not follow.
Ghost flagged this as the most expensive bug in the codebase — and expensive is the right word. The extension uses event ID deduplication to prevent the same conversion event from being counted twice across the browser Pixel and the server-side Conversion API. When both fire for the same event, Meta uses the event ID to deduplicate them.
The issue is a race condition in the deduplication logic. Under load — which is exactly the condition that occurs during high-traffic periods like promotions, product launches, or seasonal peaks — the race condition causes duplicate Conversion API events to slip through deduplication and get counted as separate conversions by Meta's attribution system.
Ghost's analysis estimated this causes 10–20% duplicate event reporting. On a store spending $50,000/month in Meta ads, that's $5,000–$10,000 per month in inflated ad spend attributable to this single bug. The store appears to be performing better than it actually is, which distorts optimization decisions on top of the direct cost impact.
Arbitrary POST parameters submitted by an attacker are saved directly to core_config_data with no validation, no allowlist, and no CSRF protection on the endpoint. core_config_data is Magento's central configuration store — it controls everything from payment gateway settings to admin URLs to email routing.
Combine the missing allowlist with missing CSRF protection and you have a situation where any authenticated user — or an unauthenticated user who can trigger the right request via CSRF — can write arbitrary values to any configuration key in the system. The blast radius is essentially the entire store configuration.
This class of vulnerability — mass assignment with no input restriction — is well understood and has been a common finding in Magento extension security audits for years. Its presence here in a widely deployed Meta extension is a reminder that even extensions from recognized publishers warrant scrutiny.
Beyond the three Critical findings above, Ghost surfaced 15 additional findings at High, Medium, and Low severity. These included deprecated API usage patterns that will break against current Magento versions, missing output escaping in template files that create XSS surface area, inconsistent error handling that leaks internal path information, and several integration patterns with the Conversion API that don't follow Meta's current recommended implementation.
Important context: Ghost Architect findings are pattern-based starting points, not proof of exploitation. These findings represent architectural risks and code patterns that warrant investigation and remediation — they are not evidence that these vulnerabilities have been actively exploited in any specific installation. Always validate findings in the context of your specific deployment before assigning remediation priority.
What This Tells You About Your Own Codebase
The Meta extension is not an outlier. It's a well-resourced extension from a major platform vendor, written by professional developers, and it contains three Critical findings in 658 files. That's not a commentary on Meta's engineering team — it's a commentary on the reality of complex software in complex integration environments.
Most Magento stores are running 20, 30, or 50 extensions. They're running custom modules built by contractors whose names nobody remembers. They're running theme overrides that reach into core functionality in ways the original developers didn't document. They're running payment and shipping integrations that were installed years ago and touched only when they break.
Each of those components is a surface area. Each has its own integration patterns, its own configuration touchpoints, its own potential for the kinds of findings we surfaced in the Meta extension. And in most cases, nobody has ever run a structured triage pass on any of them.
// The "it came from a trusted vendor" assumption
One of the most common responses we hear when agencies first see a triage report is surprise at findings in extensions they considered safe because they came from established vendors. The Meta extension is a good illustration of why trusted-by-default is not the same as reviewed. Vendor reputation is not a substitute for code review. The size of the company that wrote the extension is not a proxy for the security of the integration patterns it uses.
// The compound risk of multiple extensions
Individual extension findings are meaningful. But the more important analysis is how multiple extensions interact. A credential exposure in Extension A can be exploited through an XSS surface in Extension B. A mass assignment vulnerability in Extension C can be triggered via an unauthenticated endpoint introduced by Extension D. Ghost Architect's conflict detection looks for these interaction patterns — not just individual findings in isolation, but places where the combination of two or more extensions creates risk that neither creates alone.
// Third-party code is your responsibility
When a store has a security incident, the origin of the vulnerable code doesn't matter to the customer whose data was exposed, the card brand that initiates a forensic investigation, or the regulator reviewing the breach. Third-party extension code that runs on your platform is your responsibility to understand and manage. The extension vendor wrote it. You chose to deploy it. That choice carries an obligation to know what you deployed.
Why $0.23 Matters
The total API cost of this scan was $0.23. That's not a promotional figure — it's the actual Anthropic API cost printed in the terminal output at the end of the scan. Ghost Architect shows you exactly what each scan costs, every time.
The reason this matters is that cost has historically been the barrier to regular codebase auditing. Comprehensive manual code review is expensive and slow. Running it on 658 files across a full extension would take a senior developer multiple days. The economics of that don't work for most agencies on most projects.
At $0.23, the economics change. You can run a triage pass at project kickoff, after a major extension update, before a platform upgrade, before a client presentation, before a security audit. You can make codebase triage a regular part of your workflow rather than a project-milestone deliverable that only happens once every few years.
The Output: What You Actually Get
Every Ghost Architect scan produces three outputs simultaneously. The PDF is a branded, formatted report designed to be handed to a stakeholder or client — it includes an executive summary, severity-categorized findings, estimated remediation effort, and blast radius analysis for each finding. The TXT file is optimized for developers — it's structured for readability in a terminal or code editor and includes the technical detail developers need to action findings immediately. The MD file is designed to be committed to a repository, integrated into a project wiki, or dropped into a ticket system.
You don't have to choose between a document for your client and a document for your team. The scan produces both, simultaneously, from the same analysis pass.
Running It on Your Own Codebase
Ghost Architect runs entirely on your local machine. Your code is never uploaded anywhere. The analysis calls go directly from your terminal to the Anthropic API using your own API key — Ghost Architect is never in the middle. The full report from this Meta extension scan is available for download on the Ghost Architect homepage if you want to see the complete output format before running your own scan.
Ghost Open is the free tier — available on npm, MIT licensed, no account required. It surfaces Critical and High findings. If you want the full severity range plus multi-pass analysis and PDF reports, Ghost Pro starts at $99/month.
Run a triage pass on your own codebase.
Install Ghost Open in under a minute. Point it at any local folder, GitHub repo, or zip file. See your Critical and High findings in under 10 minutes.
Try Ghost Open Free → Download the Full Report ↓