Skip to main content

Hackers publish details on critical Magento flaw

The Magento e-commerce platform could soon face a number of attacks after hackers publicly released code that exploits a critical vulnerability in its systems which could be used to plant payment card skimmers on sites that have not yet been updated.

PRODSECBUG-2198 is the name of the SQL injection vulnerability that attackers can exploit without the need for authentication.

Any hacker that can obtain user names and crack the password hashes protecting these credentials could theoretically exploit the flaw to take administrative control of administrator accounts. Upon gaining access, they then could install backdoors or any skimming code they choose.

This method was tested by a researcher at the security firm Sucuri who managed to reverse-engineer a recently released official patch to create a working proof-of-concept exploit.

Card skimming

Competing gangs of cybercriminals have spent the last six months trying to infect e-commerce sites with card skimming malware to steal users' payment details. They employed known exploits as well as zero-day vulnerabilities to accomplish this and such a vulnerability in Magento's e-commerce platform will likely be exploited due to the fact that over 300,000 businesses and merchants use its services.

Lead malware intelligence analyst at Malwarebytes, Jérôme Segura explained the severity of the situation to Ars Technica, saying:

“There is no doubt threat actors are either actively reversing the patch or waiting for a proof of concept to exploit this flaw at scale. When it comes to hacked Magento websites, Web skimmers are the most common infection type we see because of their high return on investment. As a result, we can expect another wave of compromises in light of this newly found critical vulnerability.” 

When the proof-of-concept code was published, comments in the code revealed that it could also be modified to obtain other information from Magento's database such as admin and user password hashes. It was also discovered that the vulnerability has existed in Magento since version 1 of its software. This means that all Magento sites that have not installed the latest update are potentially susceptible.

The company's developers recently disclosed and patched a number of vulnerabilities including PRODSECBUG-2198. There is a stand-alone patch for this vulnerability but since the other flaws also pose a threat, it is recommended that all customers upgrade to Magento Commerce or Open Source 2.3.1 or 2.2.8.

Via Ars Technica



from TechRadar - All the latest technology news https://ift.tt/2OvT2Sa

Comments

Popular posts from this blog

Mother's Day 2020 gift ideas: 18 gadgets and gizmos for tech-savvy Aussie mums

Raising a family is not an easy job, and the women who care for us each and every day deserve to be told how special they are each and every day. While we tend to forget to do that, Mother’s Day reminds us we need to celebrate the women in our lives, whether they’re our own mothers or our wives and partners helping us raise the young ones. Mother’s Day 2020 is fast approaching (with under two weeks to go), and there’s a pretty good chance you won’t be able to take her out to her favourite restaurant this year, or even get to a store to shop for something she might like. So we have to get creative, and TechRadar’s Australian team has put together this little list of great tech gift ideas that you can buy online and have delivered in time for May 10. But you will need to get a wriggle on as delivery supply chains are under strain with more people shopping online. Whether she’s a whiz in the kitchen, loves to cosy up with a book or entertain at home, we’ve got a gadget or gizmo that’s s...

Amazon Australia has specials on Bose products all this week

December may have just begun, but the world's largest online marketplace is already feeling the Christmas spirit.  To kick off the month’s festivities, Amazon Australia is celebrating  ‘7 Days of Deals’ with Bose's superb audio hardware discounted each day. To begin with, the very popular (and rightly so) Bose QuietComfort 35 II and the more expensive Bose Noise Cancelling Headphones 700 are available for less. To sweeten the deal, Amazon will throw in an Echo speaker as a bonus as well. When you purchase the superb Bose Headphones 700, you will receive a free Amazon Echo Show 5, or if you’d prefer the Bose QuietComfort 35 II, you’ll receive a complimentary Echo Dot. The offer is valid until December 8, or while stocks last. You can buy the same bundles, for the same price if you make the purchase via the Echo Dot or the Echo Show 5 product pages on Amazon. Just make sure you select the bundled headphone in the 'add other items' section on the right. Best noi...

Valentine's Day flowers: the best online flower delivery services

February 14 will be here before you know it, and if you, like many others, are searching for that perfect gift, then placing an online order for Valentine's Day flowers is always an easy and romantic option. You can order a beautiful floral arrangement in minutes from a variety of online retailers, including; 1-800-Flowers, Amazon, ProFlowers, Teleflora, and many more. To help you sort through all the Valentine's Day offers, we've rounded up the best online flower delivery services in both the USA and the UK and listed their current promotions. We've also included delivery charges and made sure to mention if you can allocate specific days for delivery. There's a fantastic range of bouquets and gifts available from our selection of florists below, and online delivery from a specialist means you don't have to worry about the usual hassle of buying from a store and getting them home safely. We'll be updating this page as we get closer to the big day so you...