Magento bug exploited to steal payment data from ecommerce websites
A “cleverly crafted layout template in the database” was found
Cybersecurity researchers recently discovered a critical vulnerability in the Magento, one of the best ecommerce platforms, which allowed threat actors to deploy persistent backdoors onto vulnerable servers.
Experts from Sansec published a blog post detailing a “cleverly crafted layout template in the database”, used to automatically inject malware.
The template abused an “improper neutralization of special elements” vulnerability, now tracked as CVE-2024-20720, and carrying a severity score of 9.1 (critical).
Targeting Europeans
Magento is an open-source e-ommerce platform written in PHP, acquired by Adobe in mid-2018, for $1.68 billion. Today, more than 150,000 online stores use Magento, which is generally perceived as one of the top e-commerce platforms out there.
"Attackers combine the Magento layout parser with the beberlei/assert package (installed by default) to execute system commands," the researchers said in their writeup. "Because the layout block is tied to the checkout cart, this command is executed whenever <store>/checkout/cart is requested."
The command in this case is called sed, and adds a backdoor to the CMS controller. “Clever, because the malware would be reinjected after a manual fix or a bin/magento setup:di:compile run:” they concluded.
Magento fixed the flaw with a security patch published on February 13 this year, so if you haven’t already installed it, now would be a good time.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Given Magento’s popularity, it’s no wonder that it’s a major target. One of the biggest credit card skimmers out there is called MageCart, and the last time we heard of it, threat actors have been using the tool to target websites running outdated and unsupported versions of Magento in bulk.
In February 2022, Sansec discovered more than 500 infections that occurred on the same day, with the same malware. The researchers said the attackers used the naturalfreshmalll.com domain (quickly defunct) to load the malware onto ecommerce websites running Magento 1.
This version reached its end-of-life on June 30, 2020, meaning it no longer receives regular security and usability updates, making it a perfect target for cybercriminals.
Via TheHackerNews
More from TechRadar Pro
- MageCart attacks return to target hundreds of outdated ecommerce sites
- Here's a list of the best firewalls around today
- These are the best endpoint security tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.