Hackers publish details on critical Magento flaw

Image Credit: Pixabay
(Image credit: Pixabay)

The Magento e-commerce platform could soon face a number of attacks after hackers publicly released code that exploits a critical vulnerability in its systems which could be used to plant payment card skimmers on sites that have not yet been updated.

PRODSECBUG-2198 is the name of the SQL injection vulnerability that attackers can exploit without the need for authentication.

Any hacker that can obtain user names and crack the password hashes protecting these credentials could theoretically exploit the flaw to take administrative control of administrator accounts. Upon gaining access, they then could install backdoors or any skimming code they choose.

This method was tested by a researcher at the security firm Sucuri who managed to reverse-engineer a recently released official patch to create a working proof-of-concept exploit.

Card skimming

Competing gangs of cybercriminals have spent the last six months trying to infect e-commerce sites with card skimming malware to steal users' payment details. They employed known exploits as well as zero-day vulnerabilities to accomplish this and such a vulnerability in Magento's e-commerce platform will likely be exploited due to the fact that over 300,000 businesses and merchants use its services.

Lead malware intelligence analyst at Malwarebytes, Jérôme Segura explained the severity of the situation to Ars Technica, saying:

“There is no doubt threat actors are either actively reversing the patch or waiting for a proof of concept to exploit this flaw at scale. When it comes to hacked Magento websites, Web skimmers are the most common infection type we see because of their high return on investment. As a result, we can expect another wave of compromises in light of this newly found critical vulnerability.” 

When the proof-of-concept code was published, comments in the code revealed that it could also be modified to obtain other information from Magento's database such as admin and user password hashes. It was also discovered that the vulnerability has existed in Magento since version 1 of its software. This means that all Magento sites that have not installed the latest update are potentially susceptible.

The company's developers recently disclosed and patched a number of vulnerabilities including PRODSECBUG-2198. There is a stand-alone patch for this vulnerability but since the other flaws also pose a threat, it is recommended that all customers upgrade to Magento Commerce or Open Source 2.3.1 or 2.2.8.

Via Ars Technica