A vulnerability in the Magneto e-commerce platform has been found by Check Point researchers, who are urging online store owners and administrators to apply a patch designed to address the problem. Check Point first contacted Magneto Security in January 14th, 2015. The patch, SUPEE-5344 (which can be downloaded for free here) was made available on February 9, and the flaw in Magneto’s system was disclosed to the public on April 22. An estimated two hundred thousand stores were affected by the vulnerability, including eBay.
What is the vulnerability?
The vulnerability is comprised of a series of weaknesses that allow attackers to access financial and personal information, including credit card details, from Magneto-based online stores. In short, unauthorised attackers are able to execute PHP code on the web server, bypassing security mechanisms to gain control of the store’s database. The vulnerability is common to both Community and Enterprise editions of Magneto, although Check Point users are protected from it by IPS software blade. Versions of Magneto that have been confirmed to be vulnerable are 220.127.116.11. CE and 18.104.22.168.EE.
How was it found?
The weak points in Magneto’s programming were discovered after Netanel Rubin of the Check Point Malware & Vulnerability Research Group tested the security of Magneto, acting as a ‘white hat hacker’ before hackers with criminal intent could exploit the flaw. Check Point is taking efforts to further public awareness of online security, aiming to educate both consumers and businesses.
The technical details of the weakness are complicated (You can read about the specifics of how Check Point found the vulnerability here) but simply put a series of flaws in the Magneto programme allows hackers to get past authentication checks including the login mechanism. Attackers can then see or add any code in the system, ultimately giving them complete access to the site. This is called RCE (Remote Code Execution) attack.
While no attacks to this specific vulnerability have been reported, the potential consequences to an online business could be devastating. If you’re an administrator or Magneto user, make sure that your online store is protected by using the patch. A demonstration of the consequences of an RCE attack is available here.
How we can help
Wirebox can assist in updating your magento site, please contact us today.