Security experts are warning companies with a Magento e-commerce site to make sure that it has the latest security patch and updates in order to avoid the risk of card skimming attacks.
Magento, originally developed by Varien Inc (now owned by Adobe) is a leading open-source, enterprise-class e-commerce platform written in PHP.
Security concerns about unpatched Magento e-commerce stores have been raised in the past e.g. in 2015 and 2016, with their possible susceptibility to a cross-site scripting attack, and in 2017 Magento CE web stores possibly being susceptible to Remote Code Execution attacks (skimming) and possibly having the database and server taken over.
The (SQL) injection vulnerability in pre-2.3.1 Magento code means that attackers would not need to be authenticated on the site and would have a level of privilege to be able to e.g. carry out a card skimming attack and could even launch automated attacks (because authentication isn’t needed).
For example, security expert Marc-Alexandre Montpas, a researcher at security firm Sucuri, has warned that this vulnerability is potentially so dangerous because of the number of active installs, the ease of exploitation, and the effects of a successful attack.
This kind of (SQL) injection vulnerability could even enable attackers to steal an entire database and take control of the website and web server.
Which Sites Are At Risk?
According to (Adobe) Magento’s own advisory notice, this vulnerability affects sites using the open source or commercial version of the software, and the affected versions are 2.1 prior to 2.1.17, 2.2 prior to 2.2.8, and 2.3 prior to 2.3.1.
It is still unknown exactly how many of Magento’s 300,000 customer sites are at risk from this vulnerability.
Magento has already released a new security update / patch fixing multiple types of vulnerabilities including Cross-Site Request Forgery, Cross-Site Scripting, SQL Injection, and Remote Code Execution.
What Does This Mean For Your Business?
This story illustrates how important it is to make sure that all software should be kept up to date with the latest patches and fixes, particularly for example, a company e-commerce website where hackers could gain access to customer payment and other private data.
If you have a Magento e-commerce website the advice is to install patch PRODSECBUG-2198. Also, to protect against this vulnerability and others, customers should upgrade to Magento Commerce or Open Source 2.3.1 or 2.2.8. Magento recommends that customers install the patches as soon as possible.
Magento says that Cloud customers can upgrade ECE-Tools to version 2002.0.17 in order to get the vulnerability in core application patched automatically and that even though they have blocked any known ways to exploit vulnerability, they strongly recommend customers to either upgrade ECE-Tools or apply the patch through m2-hotfixes.
The full official advisory from Magento can be found here: https://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update