Magento e-commerce sites at hacking risk
Written by Peter Walker
A vulnerability in the Magento e-commerce platform is putting as many as 300,000 retail websites at risk of card-skimming until they install a recently-released patch.
The bug, named PRODSECBUG-2198, is a SQL injection vulnerability that attackers can exploit with no authentication required. Hackers could exploit the flaw to take control of administrator accounts, assuming they can download user names and passwords, installing backdoors or skimming code.
Satnam Narang, senior research engineer at cyber security firm Tenable, explained: “Earlier this week, Magento published a security update to address over 30 vulnerabilities in Magento Open Source and Commerce.
“Most notable in this release is a patch for PRODSECBUG-2198, an unauthenticated SQL injection vulnerability that can lead to remote code execution.”
Narang noted that while there is no proof of concept code or exploit scripts available for this bug yet, due to the relative ease of exploitation, Magento site owners should upgrade to these patched versions as soon as possible.
“Magento e-commerce websites have been a popular target for cybercriminals for years, so the existence of an unauthenticated remote code execution bug certainly won’t go unnoticed."
Magento is used by more than 15 million e-commerce sites. With the proliferation of attacks like Magecart - a card-skimming hacker group which hit British Airways and Ticketmaster last year - vulnerabilities can become serious security risks very quickly.
Research last August, from cyber security consultancy Foregenix, on small and medium-sized company websites globally - including around 15,000 in the UK - found that 86 per cent of Magento-backed websites were missing critical security patches.
Magento did not respond to requests for comment at time of going to press.
A post on its website did, however, note that an SQL injection vulnerability has been identified in pre-2.3.1 Magento code.
"To quickly protect your store from this vulnerability only, install patch PRODSECBUG-2198, however, to protect against this vulnerability and others, you must upgrade to Magento Commerce or Open Source 2.3.1 or 2.2.8," it read, adding: "We strongly suggest that you install these full patches as soon as you can."