Magento bug exploited to steal payment data from ecommerce websites

News
By published

A “cleverly crafted layout template in the database” was found

Editorial use only
(Image credit: Shutterstock / monticello)

Cybersecurity researchers recently discovered a critical vulnerability in the Magento, one of the best ecommerce platforms, which allowed threat actors to deploy persistent backdoors onto vulnerable servers.

Experts from Sansec published a blog post detailing a “cleverly crafted layout template in the database”, used to automatically inject malware

The template abused an “improper neutralization of special elements” vulnerability, now tracked as CVE-2024-20720, and carrying a severity score of 9.1 (critical).

Targeting Europeans

Magento is an open-source e-ommerce platform written in PHP, acquired by Adobe in mid-2018, for $1.68 billion. Today, more than 150,000 online stores use Magento, which is generally perceived as one of the top e-commerce platforms out there.

"Attackers combine the Magento layout parser with the beberlei/assert package (installed by default) to execute system commands," the researchers said in their writeup. "Because the layout block is tied to the checkout cart, this command is executed whenever <store>/checkout/cart is requested."

The command in this case is called sed, and adds a backdoor to the CMS controller. “Clever, because the malware would be reinjected after a manual fix or a bin/magento setup:di:compile run:” they concluded. 

Magento fixed the flaw with a security patch published on February 13 this year, so if you haven’t already installed it, now would be a good time.

Given Magento’s popularity, it’s no wonder that it’s a major target. One of the biggest credit card skimmers out there is called MageCart, and the last time we heard of it, threat actors have been using the tool to target websites running outdated and unsupported versions of Magento in bulk. 

In February 2022, Sansec discovered more than 500 infections that occurred on the same day, with the same malware. The researchers said the attackers used the naturalfreshmalll.com domain (quickly defunct) to load the malware onto ecommerce websites running Magento 1. 

This version reached its end-of-life on June 30, 2020, meaning it no longer receives regular security and usability updates, making it a perfect target for cybercriminals.

Via TheHackerNews

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
A person holding a credit card in one hand while typing on a laptop keyboard with the other.
Google system abused by hackers to hijack ecommerce stores
A person holding a credit card in one hand while typing on a laptop keyboard with the other.
WordPress users targeted by devious new credit card skimmer malware
WordPress
Another top WordPress plugin found carrying critical security flaws
Casio logo
Casio’s online store hit by bogus credit card stealing checkout form
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Thousands of WordPress websites hit in new malware attack, here's what we know
Wordpress brand logo on computer screen. Man typing on the keyboard.
Thousands of WordPress sites targeted with malicious plugin backdoor attacks
Latest in Security
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak
A major Keenetic router data leak could put a million households at risk
Code Skull
Interpol operation arrests 300 suspects linked to African cybercrime rings
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Multiple routers hit by new critical severity remote command injection vulnerability, with no fix in sight
Code Skull
This dangerous new ransomware is hitting Windows, ARM, ESXi systems
An abstract image of a lock against a digital background, denoting cybersecurity.
Critical security flaw in Next.js could spell big trouble for JavaScript users
Latest in News
Open AI
OpenAI live stream - could we see a major ChatGPT upgrade?
Apple WWDC 2025 announced
Apple just announced WWDC 2025 starts on June 9, and we'll all be watching the opening event
Hornet swings their weapon in mid air
Hollow Knight: Silksong gets new Steam metadata changes, convincing everyone and their mother that the game is finally releasing this year
OpenAI logo
OpenAI just launched a free ChatGPT bible that will help you master the AI chatbot and Sora
NetSuite EVP Evan Goldberg at SuiteConnect London 2025
"It's our job to deliver constant innovation” - NetSuite head on why it wants to be the operating system for your whole business
Monster Hunter Wilds
Monster Hunter Wilds Title Update 1 launches in early April, adding new monsters and some of the best-looking armor sets I need to add to my collection
More about security
cybersecurity

Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak

A major Keenetic router data leak could put a million households at risk
HDD

Seagate teams with Nvidia to build an NVMe hard drive proof of concept, more than 3 years after its last effort
See more latest
Most Popular
HDD
Seagate teams with Nvidia to build an NVMe hard drive proof of concept, more than 3 years after its last effort
Open AI
OpenAI live stream - could we see a major ChatGPT upgrade?
NetSuite EVP Evan Goldberg at SuiteConnect London 2025
"It's our job to deliver constant innovation” - NetSuite head on why it wants to be the operating system for your whole business
Apple WWDC 2025 announced
Apple just announced WWDC 2025 starts on June 9, and we'll all be watching the opening event
Hornet swings their weapon in mid air
Hollow Knight: Silksong gets new Steam metadata changes, convincing everyone and their mother that the game is finally releasing this year
OpenAI logo
OpenAI just launched a free ChatGPT bible that will help you master the AI chatbot and Sora
Monster Hunter Wilds
Monster Hunter Wilds Title Update 1 launches in early April, adding new monsters and some of the best-looking armor sets I need to add to my collection
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Sony WF-C710N in blue glass on beige background
Sony WF-C710 earbuds land, and I think they'll be the 2025 budget buds to beat
The RIG M2 Streamstar attached to a boom arm.
The RIG M2 Streamstar has the world's first Bluetooth audio gateway in a wired gaming microphone