Magento e-commerce sites at hacking risk

A vulnerability in the Magento e-commerce platform is putting as many as 300,000 retail websites at risk of card-skimming until they install a recently-released patch.

The bug, named PRODSECBUG-2198, is a SQL injection vulnerability that attackers can exploit with no authentication required. Hackers could exploit the flaw to take control of administrator accounts, assuming they can download user names and passwords, installing backdoors or skimming code.

Satnam Narang, senior research engineer at cyber security firm Tenable, explained: “Earlier this week, Magento published a security update to address over 30 vulnerabilities in Magento Open Source and Commerce.

“Most notable in this release is a patch for PRODSECBUG-2198, an unauthenticated SQL injection vulnerability that can lead to remote code execution.”

Narang noted that while there is no proof of concept code or exploit scripts available for this bug yet, due to the relative ease of exploitation, Magento site owners should upgrade to these patched versions as soon as possible.
“Magento e-commerce websites have been a popular target for cybercriminals for years, so the existence of an unauthenticated remote code execution bug certainly won’t go unnoticed."

Magento is used by more than 15 million e-commerce sites. With the proliferation of attacks like Magecart - a card-skimming hacker group which hit British Airways and Ticketmaster last year - vulnerabilities can become serious security risks very quickly.

Research last August, from cyber security consultancy Foregenix, on small and medium-sized company websites globally - including around 15,000 in the UK - found that 86 per cent of Magento-backed websites were missing critical security patches.

Magento did not respond to requests for comment at time of going to press.

A post on its website did, however, note that an SQL injection vulnerability has been identified in pre-2.3.1 Magento code.

"To quickly protect your store from this vulnerability only, install patch PRODSECBUG-2198, however, to protect against this vulnerability and others, you must upgrade to Magento Commerce or Open Source 2.3.1 or 2.2.8," it read, adding: "We strongly suggest that you install these full patches as soon as you can."

    Share Story:

Recent Stories


Supermicro and NVIDIA’s AI Solution for Retailers
To find out more: click here

Poundland significantly reduces antisocial behaviour, aggression and shoplifting with Motorola Solutions VT100 body cameras
Retail should not be a high-risk occupation. As a company, we are focused on listening to our colleagues and customers to help them with the issues they are facing in-store and so far, the feedback on our body cameras has been excellent. They act as a great visual deterrent, help to de-escalate situations and overall, this project has significantly aided our goal to make the retail environment safer.

For further information on Motorola Solutions’ retail security products, including body cameras, click here.

Advertisement