Glasgow: Magento is the most favoured ecommerce platform owned by eBay; this platform is sounding yet again, and this time it is for a critical Remote Code Execution vulnerability (RCE) which is affecting thousands of online merchants around the world. This vulnerability could enable the attacker to have the complete control over the store while allowing credit card theft and administrative access to the system.
According to a reputed malware and vulnerability research group, more than 200,000 websites are using Magento, owned by eBay; so, the websites using this platform should make sure that they are using the latest version of the software as the hackers are increasingly exploiting the flaw patched just a few months ago.
Attackers bypassing the security systems
- The serious flaw in Magento is capable of exploiting the series of vulnerabilities that would allow any unauthenticated attackers to execute any PHP code of their choice on the web server. So just by running the arbitrary code on the web server, the hackers will be able to bypass all the security systems and gain the complete access to the vulnerable store and its database.
- The vulnerabilities present in the Magento core code can affect the default installation of Magento Community and Magento enterprise editions. When this flaw was found by a vulnerability research company, it was reported to Magento which issued a patch (SUPEE-5344) for that in February. Since when the research group revealed about the flaw, it seems like the attackers have picked on and trying to find unpatched apps.
More than 50% of Magento websites are still vulnerable
- However it has been more than 2 months since when the patch was released; so more than 50% of the Magento websites are still vulnerable to attacks, which is the worst part. Few analysts from a security firm wrote that they have seen the indications that attackers using 2 Russia-based IP addresses are trying to exploit unpatched Magento applications.
- So far, the attacks just aimed at creating a fake admin user in a Magento database. But it’s more likely that the attackers will use that foothold to take over the site completely.
Flaw can reduce the price of the product
- Recently a vulnerability research company analysed the explicit code and it was actually a SQL injection attack which is used to add a new admin user into the database. The company also found that the user names used by the exploit were “vpwq” and “defaultmanager.” The presence of these usernames could indicate a successful attack.
- Few months back, the company had posted a video on its blog which showed that the flaw can even reduce the price of the product on a website. It actually showed how a flaw is used to reduce the price of a $100,000 watch.
Hence the online store owners and admins are advised to apply the patch as soon as possible as the attackers are increasing and the impact of websites getting compromised can be disastrous for all the online buyers.
Fortune Innovations Glasgow is one of the agencies that design astonishing, bespoke and high conversion ecommerce websites for the clients. We have a proven track record of building ecommerce websites of several small and large organizations. Just get in touch with us if you require any assistance on ecommerce development. Our team will get back to you soon with an affordable solution.