Merely hours after a critical flaw in eBay's e-commerce platform, Magento, was disclosed, cyber-criminals pounced on the vulnerability, attempting to hijack online shops, stealing credit card information and potentially taking full control of Magento sites.
Detailing the attack scenario, analysts at Sucuri show that, given the present flaw, hackers are able to exploit the SQL injection vulnerability, thereby creating administrator accounts, named vpwq or defaultmanager, on the vulnerable platform. According to Sucuri's analysis, at least some of the attacks have been traced to Russian IP addresses.
Check Point security joined the discussion, underscoring the severity of this vulnerability to e-commerce websites. "The attacker bypasses all security mechanisms and gains control of the store and its complete database, allowing credit card theft or any other administrative access into the system,” Check Point stated in a video demonstrating a cyber-attack exploiting the Magento flaw. “This attack is not limited to any particular plugin or theme. All the vulnerabilities are present in the Magento core, and affects any default installation of both Community and Enterprise Editions.”
As many as 140,000 sites remain vulnerable and nearly 100,000 magento platforms are still unpatched, Magento hosting company, The Byte, reported last week.