A critical Remote Code Execution (RCE) vulnerability has been found and confirmed on the e-commerce platform (owned by eBay) Magento. The vulnerability is affecting hundreds of thousands of online merchants worldwide and if exploited, the critical vulnerability could allow a hacker to compromise completely any online store powered by Magento and gain access to credit card details and other financial as well as personal information related to the customers.
The vulnerabilities that lead to remote code execution (RCE) flaw are present in the Magento core code, and affect the default installation of both Magento Community and Magento Enterprise Editions.
This serious flaw in this platform exploits a series of vulnerabilities that allow unauthenticated attackers to execute any PHP code of their choice on the web server. Running arbitrary code on the web server gives attackers the ability to bypass all security mechanisms and gain complete control of the vulnerable online store and its complete database, thereby allowing credit card theft and other administrative access into the system. Running arbitrary PHP code on a server may also compromise other web application running on the same server and the server itself.
This vulnerability was discovered by the security researchers of Check Point research team and reported together with a list of suggested fixes to Magento back in January this year. Magento released a patch [https://www.magentocommerce.com/products/downloads/magento/|SUPEE-5344 available here to address the vulnerability on February 9, 2015.
It’s been now two months since the release of the patch and still it is estimated that more than 50 percent of all the Magento websites are vulnerable to the attacks, which is worst as they are E-commerce websites.
To demonstrate the vulnerability security researcher has used Burp Suite, which easily allows an attacker to capture the login request, change the host entry in the header, and all other facilities for adding a new user in targeted store. A lot of security researcher have been involved as Magento is Ebay assets to pin-point the and warn their customers with the issue. In one Magento shop a malicious code was found inside that was intended to send all the data submitted by a customer amid checkout procedure to a third-party site, here "soulmagic .biz .fozzyhost .com/add."
app/code/core/Mage/Payment/Model/Method/Cc.php file inside the prepareSave() function, which you can see below:
The Hacker News published several notes about this vulnerability;
At the moment between the checkout form submission and encryption of the user's payment details when Magento handles customer's sensitive information in a plain text, the code injected by hackers send this unencrypted data to third-party address.
Not only Magento sites are targeted:
Researchers also found a very similar code being injected by hackers into the Joomla Donation extension in Joomla websites in order to send customers' credit card information to the hackers using "java-e-shop .com/add." Moreover, all e-commerce solutions, including CMS, plugin, and extension, are equally susceptible to this kind of cyber attack in the event they request customers' credit card details directly on a site, instead of redirecting them to a payment gateway.
It's so easy for a hacker to add a few lines of malicious code in the legitimate code of the website in an effort to dump customer's sensitive details to a noxious third-party. However, customers of online store aren't the only target, either: "When hackers manage to compromise an e-commerce site, the owners of the website can be robbed too," researchers at Sucuri wrote.
There are a known number of cases where hackers replace the PayPal account of website owner with their own account. As a result, every time a customer buys something, the site owner would "never receive the funds."
The bottom line:
Online Shoppers can protect themselves against this threat by following these steps:
- Don't enter your payment details on the websites that offer their own page. Instead prefer the sites that redirect you to a payment gateway provided by PayPal, payment gateway or bank to complete the transaction.
- Only use your Credit Cards with additional levels of authentication. Use payment cards that support additional security layers, like Visa 3-D Secure, or MasterCard SecureCode, or your bank's own 2FA service.
- Check the website for any security issue. This can be done by either surfing the Internet or simply check Google's SafeBrowsing information for the website using this link: http://www.google.com/safebrowsing/diagnostic?site=example.com, where example.com is the domain name of the site you want to check.
Owners of E-commerce website can protect themselves against this threat by following these steps:
- Don't allow customers to process payment details on your site. Outsource the payments to trusted third-party service such as PayPal, Stripe or Google Wallet, so that if hackers compromise your site they cannot be able to steal your customers' credit card details.
- Use best practices with your website security, including strong and unique passwords for every element of your site, actively maintain and update your website firewall, and monitor your website for security issues.
- Be Proactive. If your website is hacked, get help immediately as you cannot put both your customers' money as well as your reputation at risk.
It is my commitment (as well as my partners) to make protect our customers and to make the web a safer place.
It is far more easier to prevent problems like this than to deal with the consequences. Underestimating security issue or not having appropriate resources is a bad behavior. Being busy or worst sleeping is certainly not an excuse. My customers knows and rightly appreciate my awareness and my skills to interpret such information so I can react as fast as possible to protect their business and their asset.