Check Point Software Technologies researchers discovered a critical RCE (remote code execution) vulnerability in the Magento e-commerce platform that can affect nearly 200,000 stores, including administration override and the collection of personal customer data.
Magento, acquired by the e-commerce giant Ebay in 2011 for a little north of two hundred million, is quickly paving the way for mid to large scale businesses to use e-commerce stores without the need for a traditional brick and mortar shop. Big names like Rosetta Stone, Harper’s Bazaar, Vizio, Nike, and Fiji Water all use the Magento platform. With known names both employing the platform and backing it (think Paypal and Ebay), security is of optimal importance.
A vulnerability in Magento’s system was discovered by Check Point LTD, and communicated directly to Ebay two days before the public announcement on February 9th of this year. Magento prepared an announcement and released a security patch resolving the vulnerability. This vulnerability included compromises that allow access to all the data in 200,000 online stores, including administrative logins, customer information, credit card information, and more.
Check Point describes the vulnerability in their blog, excerpt below:
The vulnerability is actually comprised of a chain of several vulnerabilities that ultimately allow an unauthenticated attacker to execute PHP code on the web server. The attacker bypasses all security mechanisms and gains control of the store and its complete database, allowing credit card theft or any other administrative access into the system.
This attack is not limited to any particular plugin or theme. All the vulnerabilities are present in the Magento core, and affect any default installation of both Community and Enterprise Editions. Check Point customers are already protected from exploitation attempts of this vulnerability through the IPS software blade.
Three months after the initial patch was released, many sites have still not installed the patch, leading to breaches and the comprisal of sensitive information. Vulnerabilities like these are time sensitive, and while you cannot protect yourself from the unknown with guaranteed certainty, fast acting policies to secure and fix issues as they come about are necessary to maintain the safety of your customers’ information and your company’s trust with the public. If you own a Magento store, act now to install the patch and screen for any new admin logins or security breaches to keep your site clean.
With 24/7 Monitoring and Reporting, we support you in your security needs. By staffing the best team members and using the right technologies, we monitor and protect our client’s networks, maintaining world class customer satisfaction ratings averaging over 95%. Affant, on your side.
Affant Director of Engineering since 2000. Management of engineering and support team, Escalation of all technical and client issues. Sales and design engineer.