eBay’s Magento pushes patch after credit card threat

E-commerce platform Magento has stressed its customers need to update to the latest version of its software following reports of new attacks that could expose credit card details.

Magento, an eBay-owned company e-commerce platform provider, is pushing customers to install a security update that fixes a flaw that’s come under attack by hackers after security researchers released details about the bug last week.

Security firm Check Point on Monday April 20 detailed a remotely exploitable bug that it had reported to Magento in January. Magento released a fix for the bug on February 9 under the “SUPEE-5344” update and says it had told customers then about the flaw. However, on Friday, following further reports the bug was being exploited, Magento issued another warning that reminded customers they should install the update.

Check Point’s report on Monday included proof of concept attack code, which disclosed the basics of what would be required for an attacker to exploit the bug. Another security firm, Sucuri, found evidence that hackers were attempting to exploit the bug within 24 hours of Check Point’s report being published by scanning for installations that hadn’t applied the update.

The Magento bug affects up to 200,000 e-commerce sites and more notably sites that are designed to take customer credit card numbers.

In a blog post on Friday, Magento said the bug affects Magento Enterprise Edition and Magento Community Edition. It emphasised that it “allows attackers to obtain control over a store and its sensitive data, including personal customer information.”

Attempted attacks on potentially vulnerable sites rose after Check Point’s disclosure, according to Sucuri, which had been pre-notified of Check Point’s report and warned ahead of its release that “the severity of this issue cannot be understated,” urging anyone using Magento to update immediately.

The attacks were coming from two Russian IP addresses, and were found to be injecting malicious SQL commands into input fields on a range of e-commerce sites in search of those running outdated versions of Magento, according to Sucuri.

The Friday post by Magento was the first time it acknowledged the issue on its blog, however it said that on February 9 it recommended merchants to update, and did so again to merchants and partners on April 16 — that is, ahead of Check Point’s disclosure.

Read more: WordPress 4.2.4 fixes critical flaws affecting hundreds of thousands of websites

Magento also issued an update for website application firewall (WAF) providers on the weekend. Website optimisation firm CloudFlare on Saturday said all customers using its WAF "needs to click the ON button next to the “CloudFlare Magento” Group in the WAF Settings to enable protection immediately."

Magento has provided links to its update for the community and the enterprise versions of its product via its support pages. Vulnerable versions include Community Edition and Enterprise Edition.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Tags e-commercecheck pointCloudFlareSucurisecurity updatesensitive dataCSO AustraliaeBay’s MagentoRussian IP addressescredit card threatwebsite application firewall (WAF)SUPEE-5344

Show Comments