Online shoppers' data are at risk due to Magento e-commerce vulnerability: Dyman Associates Risk Management Review

Dangerous remote code execution vulnerability was recently patched in eBay's e-commerce platform and software Magento. The hole could put further 200,000 company's websites and their customers' information at risk of being hacked.

Researchers from Dyman Associates Risk Management Blog said that if the attackers exploited the vulnerability, it could expose customers' credit card information, as well as other personal and financial data. The vulnerability was patched back in February and originates from a chain of several different vulnerabilities.

Check Point's Malware and Vulnerability Research Manager said that the vulnerability signifies a major threat not to just one store, but to all of the retail brands that make use of the Magento platform for their online stores.

The vulnerability enables the attackers to execute PHP code on a store's web server and avoid the platform's security systems. It could also give them full control of a vulnerable website where they could copy the contents of databases to get customers' credit card data, e-mail and home addresses, phone numbers, and other personal information. Furthermore, they can exploit the Magneto's vulnerability to: inject harmful code into a website so it infects users with malware, and alter the prices of web merchant charges for certain items.

The flaws are within Magento's core code and not separated to a particular plugin or theme, any companies who are running the default and old version of either the Community or Enterprise editions of the platform are considered vulnerable until they have installed the update that fixed the vulnerability which was released last February 9.

Brands that run online shops in Magento consist of Nike, Ghirardelli, Sierra Nevada Brewing Company, Rebecca Minkoff, Zumiez and Rosetta Stone where all of these have installed the security update.

Magento encourages customers to see their customer and partner portals and implement the patch as soon as possible. They also guaranteed to everybody that they are focused on eliminating the vulnerability and are devoted to ensuring the Magento platform is safe and secure for commerce.

Dyman Associates Risk Management Blog provides few security factors customers should always remember:

- Check for the padlock icon next to a website's address which indicates that your connection is encrypted.

- Carefully choose on which website you will save your payment information, because if you don't store your credit card information then it won't be available for attackers to get.

- Always monitor every line of your credit card statements, even the small buys, because criminals usually begin charging small amounts to an account each month to test if the real account holder will notice.

Dutch hosting provider Byte, who hosts many websites using Magento, has provided useful information about the bug and its existing exploitation status, along with tools for checking which e-commerce sites are still vulnerable to it.

The company also noted that as soon as an executable exploit is released, it is estimated that every unpatched Magento installation will be hacked within 48 hours.

Dyman & Associates Risk Management Projects is a Risk Management firm whose main office is based in Boston, MA. We operate in the following fields: Cyber Security, Project Management, Emergency Management, Technology Governance, and Physical Security. Our company is a minority-owned enterprise with both MBE & DBE certifications.

Comment Stream