Magento, the famous e-commerce platform owned by eBay, is once again making news. This time for a crucial Remote Code Execution (RCE) vulnerability, that affected hundreds of online merchants all over the world.
The critical vulnerability, if exploited, can permit hackers to entirely compromise an online store that is powered by Magento and gain credit card information, along with other personal and financial information linked to customers.
What Does the Vulnerability Do?
A number of vulnerabilities get exploited because of this crucial flaw in the Magento platform. It eventually allows unauthenticated attackers to perform PHP code of their choice on the web server.
All vulnerabilities that advance towards remote code execution (RCE) flaw are there in the Magento core code. It affects the installation of both Magento Enterprise Editions and Magento Community.
Operating arbitrary code on the web server provides attackers with the ability to sidestep all web application security auditing mechanisms and get complete control of online stores that are vulnerable, along with their complete database, thereby permitting credit card thefts and other way of getting administrative access.
The Worse Part
The most problematic part is that the vulnerability was found by security researchers of Check Point research team and it was announced along with a list of recommended fixes to Magento in January.
Without delay, a patch (SUPEE-5344) was released by Magento, which addressed the vulnerability on February 9, 2015.
Nevertheless, it’s been more than two months since the patch has been released, still more than 50 percent of the websites are vulnerable, and the worst part is that they are ecommerce websites.
According to a blog post by Check Point, “The vulnerability we uncovered represents a significant threat not to just one store, but to all of the retail brands that use the Magento platform for their online stores — which represents about 30% of the ecommerce market.”
Patching Your Magento Site
It is requested that administrators and online store owners apply the patch immediately. The brunt of Magento ecommerce websites getting compromised can have a disastrous effect on online buyers, who have used a website that has been built on this platform.
Recently, it has also been found that cybercriminals are safeguarding legitimate Magento ecommerce websites, so that all the data, including credit card details, can be send and submitted by customers, in the midst of checkout procedures to third-party malicious websites that are controlled by attackers.