Critical Flaw in Magento leave Millions of E-Commerce Sites at High Risk | Storm Internet

Millions of current online shops are built using Magento. Hackers know this and it makes Magento the fourth most common content management system to be targeted by hackers. This isn’t a small hack however, this flaw can destroy your entire company overnight.

All versions of the community edition(CE) 1.9.2.2 and older are vulnerable; as well as all enterprise editions(EE) 1.14.2.2 and older. This vulnerability allows the attacker to create and escalate user privileges allowing them to create an administrator account, siphon customer data, steal credit card information, and completely take over the Magento-based store.

This exploit is very easy to implement which is one reason it can topple companies overnight. This attack was done on Sony’s website in 2002 and cost them over 3 million dollars to fix the issue (Cited from CBS News). Given they did purchase a life lock protection plan for all their customers to not lose their customer base.

The exploit works when a user creates a new account and inputs a malicious JavaScript code inside the customer registration forms in place of an email address. Magento will then run and execute the JavaScript code in the context of the administrators session next time an administrator logs in. Making it possible for the attacker to remotely take over the administrators session and even the entire sever.

There is some good news however, for Magento-based stores. The flaw is fixed on all Magento versions beyond 1.14.2.2(EE) or 1.9.2.2(CE). So updating your installation is all you need to do to fix this vulnerability. Before you update though keep in mind it may break some of your extensions or codes and could render your site useless. It is also recommended you apply the latest patch bundle SUPE-7405.

If you’d like to know more about how to keep your web sites and hosted data safe from online attacks, get in touch with the experts by clicking here or call us on 0800 817 4727.