Attackers could access payment card info and customer data

Apr 21, 2015 13:37 GMT  ·  By

A critical remote code execution vulnerability in Magento ecommerce platform could be exploited by attackers to compromise online merchants relying on this solution, and steal payment card data and customer info.

Owned by eBay, Magento released a patch for the security flaw on February 9 (SUPEE-5344), but it appears that there are still plenty of website administrators that have to apply the update.

Numerous websites still exposed two months after patch release

Slow adoption of the patch may have been determined by the fact that in some cases administrators received news about the critical update with significant delay.

Software developer Branko Ajzele, who manages multiple sites running Magento, received the patch alert on April 16, more than two months after its official release. In a tweet on Friday, he said that he had to update 10 sites to the new version of the online commerce platform.

According to website security company Sucuri, on Saturday, more than 50% of the websites using eBay’s ecommerce solution were exposed, which would translate to hundreds of thousands.

The number may have dropped since then, but it is unlikely that all websites adopted the latest Magento release.

Vulnerability researchers at Check Point Software Technologies, who discovered the flaw and disclosed it privately to Magento, said on Monday that nearly 200,000 online shops were affected.

It is unclear though if this number was recorded at the time the vulnerability was discovered or it was based on recent telemetry data.

Technical details soon to be released, working PoC expected

“The vulnerability we uncovered represents a significant threat not to just one store, but to all of the retail brands that use the Magento platform for their online stores - which represents about 30% of the ecommerce market,” said Shahar Tal, Malware and Vulnerability Research Manager at Check Point.

The remote execution possibility stems from a set of multiple vulnerabilities (credited to Netanel Rubin), all present in Magento, that could be exploited to execute PHP code on the web server, allowing control over the complete database of the store.

Rubin says that the glitches impact any default installation of both Community and Enterprise Editions of Magento.

At the moment, all technical details are kept private, but the security company plans on providing an analysis of the vulnerability later today.

Considering this, admins should hurry and update their Magento-based stores, since a technical analysis is bound to generate a proof-of-concept that could be tweaked by cybercriminals for attacks.