Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Magento Flaw Exploited in the Wild Within 24 Hours After Disclosure

Malicious actors are attempting to hijack online shops by exploiting a recently disclosed critical vulnerability in Magento, the popular e-commerce platform owned by eBay.

Malicious actors are attempting to hijack online shops by exploiting a recently disclosed critical vulnerability in Magento, the popular e-commerce platform owned by eBay.

According to Sucuri, the attacks, traced back to a couple of Russian IP addresses, started within 24 hours after the details of the vulnerability were published by researchers.

The security hole identified and reported by Check Point researchers in January, dubbed the “Shoplift bug,” is comprised of a chain of vulnerabilities that can be exploited by a remote attacker to execute PHP code on affected servers. The flaws are an authentication bypass (CVE-2015-1398), a SQL injection (CVE-2015-1397), and a remote file inclusion (CVE-2015-1399).

In the attacks spotted by Sucuri, the attackers are exploiting the SQL injection vulnerability to create admin accounts, which they will likely leverage at a later time to hijack the affected Magento-powered shops. The administrator accounts created by the malicious actors are named vpwq or defaultmanager, experts said.

Magento released an update to address the vulnerability on February 9. However, last week, just days before Check Point published a blog post detailing its findings, more than 50% of Magento websites had still not been patched.

Byte, a Dutch company that specializes in Magento hosting, reported that roughly 140,000 websites had been vulnerable as of April 14. On Thursday, Byte reported that there had still been nearly 100,000 unpatched websites.

While so far it seems that the Shoplift bug has only been exploited to create admin accounts, experts warn that malicious actors could leverage it to take full control of affected websites and steal customer information, including payment card data.

“The attacker bypasses all security mechanisms and gains control of the store and its complete database, allowing credit card theft or any other administrative access into the system,” Check Point researchers explained. “This attack is not limited to any particular plugin or theme. All the vulnerabilities are present in the Magento core, and affects any default installation of both Community and Enterprise Editions.”

The security firm has published a video to demonstrate how an attacker could exploit the remote code execution vulnerability to significantly lower the price of an expensive item.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.