Skip to main content

Hackers publish details on critical Magento flaw

The Magento e-commerce platform could soon face a number of attacks after hackers publicly released code that exploits a critical vulnerability in its systems which could be used to plant payment card skimmers on sites that have not yet been updated.

PRODSECBUG-2198 is the name of the SQL injection vulnerability that attackers can exploit without the need for authentication.

Any hacker that can obtain user names and crack the password hashes protecting these credentials could theoretically exploit the flaw to take administrative control of administrator accounts. Upon gaining access, they then could install backdoors or any skimming code they choose.

This method was tested by a researcher at the security firm Sucuri who managed to reverse-engineer a recently released official patch to create a working proof-of-concept exploit.

Card skimming

Competing gangs of cybercriminals have spent the last six months trying to infect e-commerce sites with card skimming malware to steal users' payment details. They employed known exploits as well as zero-day vulnerabilities to accomplish this and such a vulnerability in Magento's e-commerce platform will likely be exploited due to the fact that over 300,000 businesses and merchants use its services.

Lead malware intelligence analyst at Malwarebytes, Jérôme Segura explained the severity of the situation to Ars Technica, saying:

“There is no doubt threat actors are either actively reversing the patch or waiting for a proof of concept to exploit this flaw at scale. When it comes to hacked Magento websites, Web skimmers are the most common infection type we see because of their high return on investment. As a result, we can expect another wave of compromises in light of this newly found critical vulnerability.” 

When the proof-of-concept code was published, comments in the code revealed that it could also be modified to obtain other information from Magento's database such as admin and user password hashes. It was also discovered that the vulnerability has existed in Magento since version 1 of its software. This means that all Magento sites that have not installed the latest update are potentially susceptible.

The company's developers recently disclosed and patched a number of vulnerabilities including PRODSECBUG-2198. There is a stand-alone patch for this vulnerability but since the other flaws also pose a threat, it is recommended that all customers upgrade to Magento Commerce or Open Source 2.3.1 or 2.2.8.

Via Ars Technica



from TechRadar - All the latest technology news https://ift.tt/2OvT2Sa

Comments

Popular posts from this blog

TalentLMS

 

The best cheap PS4 bundles, deals and prices in the November sales

Black Friday sales are coming thick and fast and with the weekend's excellent PS4 bundle deals still in stock you'll be happy to find some amazing prices on the Slim and Pro models this week - and we've rounded them up in our Black Friday PS4 deals page for you too. If you're looking for a cheap PS4 bundle deal, this week is a fantastic time to buy, with prices as low as £239 on the Slim and £290 on the Pro.  You're in for a great time too, as so many of the best PS4 games are super cheap nowadays. You've got plenty of great titles to enjoy for far less than they originally sat on store shelves for, and over the Black Friday sales you'll have more than enough opportunity to take advantage of even lower game prices.  Naturally, lots of the below PS4 bundles come with the hottest games. And yes, we've tracked down the new Limited Edition Days of Play PS4 for you too.  We're on the hunt for the lowest PS4 prices all year round, so we aren't ea...