As discovered by security researchers at Check Point Technologies, the flaw in the open-source e-commerce platform stems from a number of different vulnerabilities which, when pieced together, could allow an attacker to execute PHP code on the store's web server, bypassing security controls in the process.
The same attackers could also grab administrator access to the system, at which point they could do everything from steal money, credentials and personal details to taking control of certain databases.
All of these vulnerabilities are present in the Magento core, and they affect any default installation of Magento Community and Enterprise Editions. Check Point customers are already protected from exploitation attempts of this vulnerability through the IPS software blade.
The worst part is that Check Point privately disclosed vulnerabilities with list of suggested fixes to eBay back in January. A patch to address the flaws was shortly released on 9 February (SUPEE-5344 available here). Store owners and admins have been urged to patch since then, although at the time of writing, it is predicted that 200,000 e-commerce sites remain vulnerable.
“As online shopping continues to overpower in-store shopping, e-commerce sites are increasingly targeted by hackers as they have become a gold mine for credit card information,” said Shahar Tal, malware and vulnerability research manager at Check Point Software Technologies, in a statement.
“The vulnerability we uncovered represents a significant threat not to just one store, but to all of the retail brands that use the Magento platform for their online stores – which represents about 30 percent of the e-commerce market.”
“If you follow a list of actions you are able to remotely execute any code on that platform with administrator privileges,” he said, adding it would be ‘gameover' at that point, with hackers able to exfiltrate data, sabotage systems or even launch ransomware attacks. He did, however, add that this was not an insignificant attack in terms of technical capability.
Karsenti added that eBay – for all its faults post-data breach last year – had responded promptly to the disclosure, which wasn't always the case with some vendors taking “months if not years.”
With Magento accounting for 30 percent of e-commerce sites, and around half remaining unpatched, he said on patch management: “Security has to be a process, which must include patch management – and this is not the case for most. Still many of them are not going to patch the system because it might be down for a few minutes, and never sure what's going to happen.
“Many still see [patching] as a burden…as an option.” The Check Point exec continued that technology vendors could help improve security with automated updates, like what Microsoft has done with Windows Update.
Roy Tobin, threat researcher at Webroot, told SC:
“There are several issues have been raised with the Magneto platform flaw, but the most important is that web admins are always on top of new patches and releases for any used plugins or in this case, an entire platform. Creating a website and only updating content is not enough, websites must be treated like an endpoint with regular updates and security checks.
“Anyone who suspects they have used a website that is based on the Magneto platform should look to see if the site has been affected and whether this will impact their personal details. We would also suggest a change of password just to be safe.”
eBay acquired Magento in 2011 for US$ 180 million. Magento's website lists eBay, Nike, Mothercare and Gant as just some of its customers.