Serviceteam IT Security News

After researchers discovered an SQL injection vulnerability in Magento’s code, the company issued a security fix for more than 30 different vulnerabilities in its software, which reportedly has put more than 300,000 e-commerce sites at risk of card-skimming attacks.

Online businesses have been strongly urged to download the latest fix, warning that versions prior to 2.3.1 Magento code are vulnerable and being exploited in the wild.

According to the March 26 Magento advisory, “Merchants who have not previously downloaded a Magento 2 release should go straight to Magento Commerce or Open Source 2.3.1. To quickly protect your store from this vulnerability only, install patch PRODSECBUG-2198. However, to protect against this vulnerability and others, you must upgrade to Magento Commerce or Open Source 2.3.1 or 2.2.8. We strongly suggest that you install these full patches as soon as you can.”

With a common vulnerability scoring system (CVSS) severity rating of 9.8, PRODSECBUG-2192 would allow “an authenticated user with privileges to create newsletter or email templates that can execute arbitrary code through crafted newsletter or email template code.”

No proof of concept yet exists, but exploitation is relatively easy according to Satnam Narang, senior research engineer, Tenable.”Magento site owners should upgrade to these patched versions as soon as possible. Magento e-commerce websites have been a popular target for cybercriminals for years, so the existence of an unauthenticated remote code execution bug certainly won’t go unnoticed.”

Instead of credential dumps, criminals are using stolen credit card dumps that can result in immediate financial losses for consumers and fraud losses for merchants, said Ameya Talwalkar, co-founder and CPO, Cequence. “This is a unique case of an application vulnerability being exploited for business logic abuse. We’ve detected and blocked similar attacks to this that have targeted our own retail customers. This particular attack is very similar to credential checking attacks on login applications using malicious automation or bots.”

“Normally retail applications do not allow for $0 transactions, but due to the newly discovered vulnerability in Magento, it allows these $0 transactions and opens the door for checking stolen credit and gift cards for validation.”

Source: Infosecurity Magazine

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!