Magento exploit endangers e-commerce sites
Attack code has been published that exploits a critical vulnerability in the Magento e-commerce platform, meaning it could be used to plant payment card-skimmers on sites that have not yet installed a fix.
According to Marc-Alexandre Montpas, a security researcher at Sucuri, last week Magento released a patch that fixes multiple types of vulnerabilities, including cross-site request forgery, cross-site scripting, SQL injection and remote code execution.
He says in order to exploit most of these vulnerabilities, the hacker needs to be authenticated on the site and have at least some level of privilege. However, one of the bugs includes a SQL injection that requires neither to be exploited, and given the nature of data handled by e-commerce sites, could endanger customer information.
SQL injections enable threat actors to inject their own commands to an SQL database such as Oracle, MySQL, MariaDB or MSSQL. Using this vulnerability allows them to access sensitive data from an affected site's database, including usernames and password hashes, Montpas adds.
The issue affects sites using the open source and commercial versions of the software. The affected versions are 2.1 prior to 2.1.17, 2.2 prior to 2.2.8, and 2.3 prior to 2.3.1.
Considering the risk this bug poses, and the fact that Sucuri is not seeing attacks in the wild yet, Montpas says it would refrain from publishing any technical details for the time being. "Our team reversed the official patch and successfully created a working proof of concept exploit for internal testing and monitoring."
Unauthenticated attacks, such as the one seen in this particular vulnerability, can be automated. "The number of active installs, the ease of exploitation, and the effects of a successful attack are what make this vulnerability particularly dangerous."
To avoid falling victim, Montpas advises to keep content management systems themes and plugins up to date with the latest patches. He also encourages Magento users to update their sites to the latest version of the branch they are using.
"In the event that you are unable to update immediately, you can virtually patch the vulnerability with a Web application firewall."
"This may lead to one of the most disastrous Web hacking campaigns," comments High-Tech Bridge CEO Ilia Kolochenko. "Magento is mostly used on trusted e-commerce Web sites and thus opens a door to a great wealth of sensitive personally identifiable information, including valid credit card details."
According to Kolochenko, it is possible that professional Black Hat groups could have already started the exploitation a couple of days ago or even earlier, and this could be the tip of the iceberg.
"Frequently, skilled hackers may even patch the vulnerability to preclude 'competitors' from breaching the same target. All Magento Web site owners should urgently update their systems and check the Web server and all other available logs for indicators of compromise," he adds.