Security Experts:

Magento Flaw Exploited in the Wild Within 24 Hours After Disclosure

Malicious actors are attempting to hijack online shops by exploiting a recently disclosed critical vulnerability in Magento, the popular e-commerce platform owned by eBay.

According to Sucuri, the attacks, traced back to a couple of Russian IP addresses, started within 24 hours after the details of the vulnerability were published by researchers.

The security hole identified and reported by Check Point researchers in January, dubbed the “Shoplift bug,” is comprised of a chain of vulnerabilities that can be exploited by a remote attacker to execute PHP code on affected servers. The flaws are an authentication bypass (CVE-2015-1398), a SQL injection (CVE-2015-1397), and a remote file inclusion (CVE-2015-1399).

In the attacks spotted by Sucuri, the attackers are exploiting the SQL injection vulnerability to create admin accounts, which they will likely leverage at a later time to hijack the affected Magento-powered shops. The administrator accounts created by the malicious actors are named vpwq or defaultmanager, experts said.

Magento released an update to address the vulnerability on February 9. However, last week, just days before Check Point published a blog post detailing its findings, more than 50% of Magento websites had still not been patched.

Byte, a Dutch company that specializes in Magento hosting, reported that roughly 140,000 websites had been vulnerable as of April 14. On Thursday, Byte reported that there had still been nearly 100,000 unpatched websites.

While so far it seems that the Shoplift bug has only been exploited to create admin accounts, experts warn that malicious actors could leverage it to take full control of affected websites and steal customer information, including payment card data.

“The attacker bypasses all security mechanisms and gains control of the store and its complete database, allowing credit card theft or any other administrative access into the system,” Check Point researchers explained. “This attack is not limited to any particular plugin or theme. All the vulnerabilities are present in the Magento core, and affects any default installation of both Community and Enterprise Editions.”

The security firm has published a video to demonstrate how an attacker could exploit the remote code execution vulnerability to significantly lower the price of an expensive item.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.