Hackers publish details on critical Magento flaw
Recently discovered SQL injection vulnerability could be exploited for card skimming
The Magento e-commerce platform could soon face a number of attacks after hackers publicly released code that exploits a critical vulnerability in its systems which could be used to plant payment card skimmers on sites that have not yet been updated.
PRODSECBUG-2198 is the name of the SQL injection vulnerability that attackers can exploit without the need for authentication.
Any hacker that can obtain user names and crack the password hashes protecting these credentials could theoretically exploit the flaw to take administrative control of administrator accounts. Upon gaining access, they then could install backdoors or any skimming code they choose.
- How are consumers protecting themselves against online fraud?
- Phishing scams account for half of all fraud attacks
- Pointing to the future: the next step in fraud prevention
This method was tested by a researcher at the security firm Sucuri who managed to reverse-engineer a recently released official patch to create a working proof-of-concept exploit.
Card skimming
Competing gangs of cybercriminals have spent the last six months trying to infect e-commerce sites with card skimming malware to steal users' payment details. They employed known exploits as well as zero-day vulnerabilities to accomplish this and such a vulnerability in Magento's e-commerce platform will likely be exploited due to the fact that over 300,000 businesses and merchants use its services.
Lead malware intelligence analyst at Malwarebytes, Jérôme Segura explained the severity of the situation to Ars Technica, saying:
“There is no doubt threat actors are either actively reversing the patch or waiting for a proof of concept to exploit this flaw at scale. When it comes to hacked Magento websites, Web skimmers are the most common infection type we see because of their high return on investment. As a result, we can expect another wave of compromises in light of this newly found critical vulnerability.”
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
When the proof-of-concept code was published, comments in the code revealed that it could also be modified to obtain other information from Magento's database such as admin and user password hashes. It was also discovered that the vulnerability has existed in Magento since version 1 of its software. This means that all Magento sites that have not installed the latest update are potentially susceptible.
The company's developers recently disclosed and patched a number of vulnerabilities including PRODSECBUG-2198. There is a stand-alone patch for this vulnerability but since the other flaws also pose a threat, it is recommended that all customers upgrade to Magento Commerce or Open Source 2.3.1 or 2.2.8.
Via Ars Technica
- We've also highlighted the best ecommerce platform
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.