This January, security researchers at Check Point discovered a set of vulnerabilities in Magento that could potentially allow a malicious actor to execute arbitrary PHP code on eCommerce sites, allowing an attacker to create a new admin account or to steal sensitive information, along with any number of other actions harmful to both eCommerce retailers and their customers.
Check Point disclosed the vulnerability to the Magento team, who quickly issued a patch. The patch has been available for more than two months. Last week, in accordance with the doctrine of full disclosure, Check Point released comprehensive details of the vulnerability, explaining how it was discovered, the code flaws that made it possible, and how it can be exploited.
This is entirely in line with what is widely viewed as ethical within the security research community. Developers are given time to create a patch, users are given time to apply it, and then the details are made public so that users and the wider community knows exactly what’s been happening. In this case, Check Point claims that they saw the attack being used in the wild prior to their release.
Unfortunately, once the details were released, web security companies, including Sucuri, began to observe a large increase in the incidence of the attack being used in the wild against sites that had not been patched. It’s estimated that almost 100,000 eCommerce stores are vulnerable.
Magento eCommerce store owners should immediately apply the relevant patch: it can be found on this page under the name SUPEE-5344.
The vulnerability occurs because of a couple of flaws Magento’s code. The original disclosure can be found on Check Point’s site.
Essentially, the vulnerability allows an unauthenticated user — anyone with the ability to exploit the vulnerability — to run arbitrary PHP (and SQL) code on a Magento store. That means they have full access to the store’s database, including any sensitive user information. There is even the potential for them to access credit card holder data, which while usually stored encrypted, may be available for copying while it is in use by Magento. Unless your Magento site is patched, it is entirely open to exploitation by criminals.
And if that’s not enough to motivate you to apply the patch, if your site hasn’t already been taken care of, watch this video, which demonstrates an attacker purchasing a $10,000 watch for $0 by leveraging the vulnerability to insert a coupon code into a Magento site’s database.