Magento bug exploited to steal payment data from ecommerce websites

(Image credit: Shutterstock / monticello)

Cybersecurity researchers recently discovered a critical vulnerability in the Magento ecommerce platform, which allowed threat actors to deploy persistent backdoors onto vulnerable servers.

Experts from Sansec published a blog post detailing a “cleverly crafted layout template in the database”, used to automatically inject malware.

The template abused an “improper neutralization of special elements” vulnerability, now tracked as CVE-2024-20720, and carrying a severity score of 9.1 (critical).

Targeting Europeans

Magento is an open-source e-ommerce platform written in PHP, acquired by Adobe in mid-2018, for $1.68 billion. Today, more than 150,000 online stores use Magento, which is generally perceived as one of the top e-commerce platforms out there.

"Attackers combine the Magento layout parser with the beberlei/assert package (installed by default) to execute system commands," the researchers said in their writeup. "Because the layout block is tied to the checkout cart, this command is executed whenever <store>/checkout/cart is requested."

The command in this case is called sed, and adds a backdoor to the CMS controller. “Clever, because the malware would be reinjected after a manual fix or a bin/magento setup:di:compile run:” they concluded.

Magento fixed the flaw with a security patch published on February 13 this year, so if you haven’t already installed it, now would be a good time.

Given Magento’s popularity, it’s no wonder that it’s a major target. One of the biggest credit card skimmers out there is called MageCart, and the last time we heard of it, threat actors have been using the tool to target websites running outdated and unsupported versions of Magento in bulk.

In February 2022, Sansec discovered more than 500 infections that occurred on the same day, with the same malware. The researchers said the attackers used the naturalfreshmalll.com domain (quickly defunct) to load the malware onto ecommerce websites running Magento 1.

This version reached its end-of-life on June 30, 2020, meaning it no longer receives regular security and usability updates, making it a perfect target for cybercriminals.

Via TheHackerNews

More from TechRadar Pro

MageCart attacks return to target hundreds of outdated ecommerce sites
Here's a list of the best firewalls around today
These are the best endpoint security tools right now

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Latest

Rocket 1628A - PCIe Gen5 x16 to 4-MCIOx8 NVMe Switch Adapter

2PB SSD storage in your computer? Why not — storage firm debuts tech that can support up to 32 drives, perfect if you want to use 61.44TB Solidigm SSDs or even bigger PCIe 5.0 ones in the future

See more latest ►

Targeting Europeans

Are you a pro? Subscribe to our newsletter

More from TechRadar Pro

Most Popular