Security Experts:

Critical Flaw in Magento eCommerce Platform Exposes Online Shops

Malicious Hackers Can Exploit a Vulnerability in Magento to Access Credit Card Data

Researchers have identified a serious vulnerability in Magento, the popular e-commerce platform owned by eBay. The security hole exposes the details of millions of individuals who shop on the hundreds of thousands of online stores that use Magento.

According to Check Point Software, unpatched versions of the platform are plagued by a critical remote code execution (RCE) vulnerability that can be exploited to compromise online shops powered by Magento. A malicious actor can gain access to credit card details and other financial and personal information belonging to the affected sites’ customers.

“The vulnerability is actually comprised of a chain of several vulnerabilities that ultimately allow an unauthenticated attacker to execute PHP code on the web server. The attacker bypasses all security mechanisms and gains control of the store and its complete database, allowing credit card theft or any other administrative access into the system,” Check Point wrote in a blog post on Monday. “This attack is not limited to any particular plugin or theme. All the vulnerabilities are present in the Magento core, and affects any default installation of both Community and Enterprise Editions.”

An FAQ published by Byte, a Dutch company that specializes in Magento hosting, suggests that Check Point has identified three vulnerabilities: a website authentication bypass that can be exploited via specially crafted HTTP requests (CVE-2015-1398), a SQL injection vulnerability (CVE-2015-1397), and a remote file inclusion flaw (CVE-2015-1399).

The vulnerabilities leading to remote code execution were identified and reported by Check Point in January, and Magento fixed the flaws on February 9 with the release of the SUPEE-5344 patch. The administrators of online shops are advised to apply the patch as soon as possible, especially since the security firm will release its technical analysis on Tuesday.

Magento is a highly popular platform. According to the developer, the solution is used by 240,000 merchants from all over the world, and it has a market share of 34% in the Alexa top 1 million list of websites.

While the patch has been available for more than two months, there are still numerous websites that remain vulnerable. According to Sucuri, more than 50% of Magento installations had not been patched as of April 18.

Byte has created an online tool that allows store owners to test if their websites are plagued by the vulnerability. According to the company, which has dubbed the flaw the “Shoplift bug,” 60% of Magento installations had been affected as of April 14, which translates to 140,000 vulnerable websites.

Both Byte and Sucuri have pointed out that the vulnerability is critical and it is likely to be exploited in the wild in the upcoming days.

“Once an executable exploit is published, it is estimated that every unpatched Magento installation will be compromised within 48 hours. The same happened to Drupal within 7 hours. Lists of global Magento installs are readily available on the web,” Byte said in its advisory.

Check Point will not publish any actual exploit code for the vulnerability, but Sucuri founder and CTO Daniel Cid believes an exploit will be developed shortly after details are released.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.