Hackers publish details on critical Magento flaw

The Magento e-commerce platform could soon face a number of attacks after hackers publicly released code that exploits a critical vulnerability in its systems which could be used to plant payment card skimmers on sites that have not yet been updated.

PRODSECBUG-2198 is the name of the SQL injection vulnerability that attackers can exploit without the need for authentication.

Any hacker that can obtain user names and crack the password hashes protecting these credentials could theoretically exploit the flaw to take administrative control of administrator accounts. Upon gaining access, they then could install backdoors or any skimming code they choose.

How are consumers protecting themselves against online fraud?
Phishing scams account for half of all fraud attacks
Pointing to the future: the next step in fraud prevention

This method was tested by a researcher at the security firm Sucuri who managed to reverse-engineer a recently released official patch to create a working proof-of-concept exploit.

Card skimming

Competing gangs of cybercriminals have spent the last six months trying to infect e-commerce sites with card skimming malware to steal users' payment details. They employed known exploits as well as zero-day vulnerabilities to accomplish this and such a vulnerability in Magento's e-commerce platform will likely be exploited due to the fact that over 300,000 businesses and merchants use its services.

Lead malware intelligence analyst at Malwarebytes, Jérôme Segura explained the severity of the situation to Ars Technica, saying:

“There is no doubt threat actors are either actively reversing the patch or waiting for a proof of concept to exploit this flaw at scale. When it comes to hacked Magento websites, Web skimmers are the most common infection type we see because of their high return on investment. As a result, we can expect another wave of compromises in light of this newly found critical vulnerability.”

When the proof-of-concept code was published, comments in the code revealed that it could also be modified to obtain other information from Magento's database such as admin and user password hashes. It was also discovered that the vulnerability has existed in Magento since version 1 of its software. This means that all Magento sites that have not installed the latest update are potentially susceptible.

The company's developers recently disclosed and patched a number of vulnerabilities including PRODSECBUG-2198. There is a stand-alone patch for this vulnerability but since the other flaws also pose a threat, it is recommended that all customers upgrade to Magento Commerce or Open Source 2.3.1 or 2.2.8.

Via Ars Technica

We've also highlighted the best ecommerce platform

from TechRadar - All the latest technology news https://ift.tt/2OvT2Sa

New top story on Hacker News: Getting Laid Off in Tech – The Myth of Upper Middle Class Security

Getting Laid Off in Tech – The Myth of Upper Middle Class Security 22 by logicx24 | 4 comments on Hacker News.

The future of Magic Leap's promising AR efforts dim after layoffs

The Magic Leap Two is now further away than ever, unfortunately. Today in a blog post the augmented reality pioneer announced major layoffs and has decided to cut up to half of its workforce, according to some reports. The original Magic Leap One was supposed to be one of the first mainstream augmented reality headsets when it launched in 2018, but a high price point and lack of interest from developers left the headset high and dry after launch. According to the blog post, Magic Leap says it will be focusing its efforts on enterprise solutions (a statement HTC has made recently as well) and shift its focus away from consumer technology… at least for the time being. The company has been open about creating a second headset that would offer improved specs for some time, but how that work will now have to go forward without half of the team , according to some estimates, remains to be seen. Is the window closing on augmented reality? Although it’s just one company, Magic...

Airship acquires SMS commerce company ReplyBuy

Airship is announcing that it has acquired mobile commerce startup ReplyBuy . The startup (which was a finalist at TechCrunch’s 1st and Future competition in 2016) works with customers like entertainment venues and professional and college sports teams to send messages and sell tickets to fans via SMS. It raised $4 million in funding from Sand Hill Angels, Kosinski Ventures, SEAG Ventures, Enspire Capital, MRTNZ Ventures and others, according to Crunchbase . Airship, meanwhile, has been expanding its platform beyond push notifications to cover customer communication across SMS, email, mobile wallets and more. But CEO Brett Caine said this is the first time the company is moving into commerce. While sports and concerts tickets might not be a booming market right now, Caine suggested that the company is actually seeing increased purchasing activity “in and around the Airship platform” as businesses try to drive more in-app purchases. He also suggested that both the COVID-19 pandem...

Technology Simplified

Search This Blog