Sign Me Up For
The Free Assessment


Patch your Magento Installs Immediately

If you have a Magento-Powered e-commerce site, have them updated ASAP. SQL injection can be exploited without authentication or privileges.

Magento, which is part of Adobe, has just released a software patch. It addresses vulnerabilities where in which one of them requires no authentication and is easily exploitable.

Most of the vulnerabilities require the attacker to be authenticated within the site or some level of privilege. But one is a SQL injection vulnerability that can be exploited without authentication or privileges, Montpas writes.

“Unauthenticated attacks, like the one seen in this particular SQL injection vulnerability, are very serious because they can be automated – making it easy for hackers to mount successful, widespread attacks against vulnerable websites,” Montpas writes. “The number of active installs, the ease of exploitation and the effects of a successful attack are what makes this vulnerability particularly dangerous.”

PRODSECBUG-2198, which is the patch released for this vulnerability addresses the SQL injection flaw that could be used to pull usernames and hashed passwords from databases such as Oracle and MySQL.

Since this is mostly used on e-commerce websites, the sensitive nature of the data that Magento handle makes it a security threat that should be patched immediately by site owners.

Sucuri security researchers reverse engineered the patch and found out that the flaw cross-site request forgery, cross-site scripting, SQL injection and remote code execution. Although there has not been any confirmed attacks in the wild with the said vulnerability attacks, they will not be releasing its proof-of-concept exploit.

Since it is a serious vulnerability, they will not publish any technical details for the time being.

Both the free and commercial versions of Magento possess the vulnerabilities, they should upgrade to versions 2.3.1 or 2.2.8.

Montpas recommended checking the “access_log” file to see how many times there’s been a request to this path: “/catalog/product/frontend_action_synchronize.”

“An occasional hit to that path may indicate a legitimate request, but more than a couple of dozen hits from the same IP in a few minutes should be considered suspicious,” he writes.

Malware developers, hackers and criminal groups are constantly improving their game and have always targeted and specialized in slipping payment card skimming techniques or malware into Magenta websites. Security vendors, including RiskIQ, Sucuri and Group-IB and others, have been tracking groups and techniques.

The internet is full of e-commerce website which makes them a huge array of targets thus increasing their chance of finding a weak one as to attacking payment processors. It is difficult to detect it and may run using a single line of code.

E-commerce website have been around for quite some time already and cybercriminal groups have developed clever methods to gather and harvest payment card data. They have been doing this by directly subverting payment software within the site. Another way is to infiltrate third party software tools.

A very good example is Ticketmaster. It fell victim to attack that have subverted the chatbot software from Inbenta Technologies. The hackers were able to modify a script within the chatbot software. It collected payment and login details. Both Ticketmaster and Inbenta went back and forth with who to blame with the breach.

Security company RiskIQ discovered that another third-party tool, within a marketing and analytics service called SociaPlus, had also been used to steal payment card details submitted to Ticketmaster.

Besides Ticketmaster, British Airways and Newegg have been victims. Roughly 380,000 cards got compromised with the British Airways attack due to a malicious JavaScript. With Newegg, the attack vector has ben similar.

A malicious script was placed on the payment-processing page itself and would have been activated after someone added an item to a cart and entered a validated email address, RiskIQ said.

Written by

No Comments Yet.

Leave a Reply


[contact-form-7 id="5555" title="Mobile Form"]