E-commerce platform Magento contains a serious vulnerability, which means that 300,000 websites run the risk of being infected with malware from skimmers. The vulnerability has already been closed with a patch, but it still has to be installed by the owners of the websites.
The specific error is PRODSECBUG-2198, reports Ars Technica. This is an SQL injection vulnerability, which attackers can abuse without having to authenticate. Hackers can use the error to take control of administrator accounts. To do this, they need to download the usernames and password hashes, and they need to be able to crack those hashes. Then attackers can install back doors or skimming code.
Over the past six months, several competing groups have tried to infect commercial websites with JavaScript, which then steals buyers’ credit card details. The attacks are the result of exploits of known or zero day vulnerabilities. A serious vulnerability such as in a platform used by 300,000 companies and vendors is therefore likely to be abused in the wild by these groups.
“There is no doubt that malicious parties are trying to reverse engineer the patch, or are waiting for a proof of concept to exploit the error on a large scale,” says Jérôme Segura, lead malware intelligence analyst at Malwarebytes. “When it comes to hacked Magento websites, web skimmers are the most common type of infection we see because of their high yields. We therefore expect a wave of attacks because of this serious vulnerability.”
Automated attacks
Marc-Alexandre Montpas, researcher at Sucuri, agrees with that conclusion. “SQL injections allow an attacker to manipulate site arguments to inject their own commands into an SQL database. Through this vulnerability, they can collect sensitive data from the database of an affected website, including usernames and password hashes.”
“Unauthorized attacks, such as those in this specific SQL injection vulnerability, are very dangerous because they can be automated. This makes it easy for hackers to launch successful, widespread attacks against vulnerable websites.”
Websites that want to protect themselves against the vulnerability can install the patch.
This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.
1 hour ago
