Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Critical Flaw in Magento eCommerce Platform Exposes Online Shops

Malicious Hackers Can Exploit a Vulnerability in Magento to Access Credit Card Data

Researchers have identified a serious vulnerability in Magento, the popular e-commerce platform owned by eBay. The security hole exposes the details of millions of individuals who shop on the hundreds of thousands of online stores that use Magento.

Malicious Hackers Can Exploit a Vulnerability in Magento to Access Credit Card Data

Researchers have identified a serious vulnerability in Magento, the popular e-commerce platform owned by eBay. The security hole exposes the details of millions of individuals who shop on the hundreds of thousands of online stores that use Magento.

According to Check Point Software, unpatched versions of the platform are plagued by a critical remote code execution (RCE) vulnerability that can be exploited to compromise online shops powered by Magento. A malicious actor can gain access to credit card details and other financial and personal information belonging to the affected sites’ customers.

“The vulnerability is actually comprised of a chain of several vulnerabilities that ultimately allow an unauthenticated attacker to execute PHP code on the web server. The attacker bypasses all security mechanisms and gains control of the store and its complete database, allowing credit card theft or any other administrative access into the system,” Check Point wrote in a blog post on Monday. “This attack is not limited to any particular plugin or theme. All the vulnerabilities are present in the Magento core, and affects any default installation of both Community and Enterprise Editions.”

An FAQ published by Byte, a Dutch company that specializes in Magento hosting, suggests that Check Point has identified three vulnerabilities: a website authentication bypass that can be exploited via specially crafted HTTP requests (CVE-2015-1398), a SQL injection vulnerability (CVE-2015-1397), and a remote file inclusion flaw (CVE-2015-1399).

The vulnerabilities leading to remote code execution were identified and reported by Check Point in January, and Magento fixed the flaws on February 9 with the release of the SUPEE-5344 patch. The administrators of online shops are advised to apply the patch as soon as possible, especially since the security firm will release its technical analysis on Tuesday.

Magento is a highly popular platform. According to the developer, the solution is used by 240,000 merchants from all over the world, and it has a market share of 34% in the Alexa top 1 million list of websites.

While the patch has been available for more than two months, there are still numerous websites that remain vulnerable. According to Sucuri, more than 50% of Magento installations had not been patched as of April 18.

Advertisement. Scroll to continue reading.

Byte has created an online tool that allows store owners to test if their websites are plagued by the vulnerability. According to the company, which has dubbed the flaw the “Shoplift bug,” 60% of Magento installations had been affected as of April 14, which translates to 140,000 vulnerable websites.

Both Byte and Sucuri have pointed out that the vulnerability is critical and it is likely to be exploited in the wild in the upcoming days.

“Once an executable exploit is published, it is estimated that every unpatched Magento installation will be compromised within 48 hours. The same happened to Drupal within 7 hours. Lists of global Magento installs are readily available on the web,” Byte said in its advisory.

Check Point will not publish any actual exploit code for the vulnerability, but Sucuri founder and CTO Daniel Cid believes an exploit will be developed shortly after details are released.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Kim Larsen is new Chief Information Security Officer at Keepit

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

More People On The Move

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.