100,000 web shops open to compromise as attackers exploit Magento bug

A critical vulnerability found in Magento, the most popular content management system for e-commerce sites, is being exploited by hackers to get their hands on users’ personal and payment card information, Ars Technica reports.

Discovered by Check Point researchers and privately disclosed to eBay, the owner of the company that develops the CMS, the flaw (SUPEE-5344) was patched in February 2015, but the patch still hasn’t been implemented by over 98,000 online merchants.

This lax approach to fixing this problem prompted Magento to send out email alerts directly to the users of the CMS, urging them to apply the patch immediately.

“The vulnerability is actually comprised of a chain of several vulnerabilities that ultimately allow an unauthenticated attacker to execute PHP code on the web server. The attacker bypasses all security mechanisms and gains control of the store and its complete database, allowing credit card theft or any other administrative access into the system,” Checkpoint’s Netaniel Rubin explained.

“This attack is not limited to any particular plugin or theme. All the vulnerabilities are present in the Magento core, and affects any default installation of both Community and Enterprise Editions.”

According to Sucuri Security’s Daniel Cid, exploitation attempts begun soon after Checkpoint released technical details about the flaw on Wednesday, April 23.

Cid says that they all seem to be coming from a specific crime group, and always from two IP addresses from Russia.

The exploit tries to create fake admin user inside the Magento database, so that the attackers can use it at a later date to take control of the site.

Apart from giving them access to the site’s database, this would also allow them to do things like inject malicious code in the site, or change item prices so that they could buy luxury items for a pittance or create coupons (as demonstrated by Checkpoint in this video):


Incapsula has also warned about Magneto SUPEE-5344 attack attempts detected on its network, coming from Chinese IP addresses.

Dutch hosting provider Byte, who hosts many websites using Magento, has provided helpful information about the bug and its current exploitation status, as well as a tools for checking which e-commerce sites are still vulnerable to it.

“Once an executable exploit is published, it is estimated that every unpatched Magento installation will be compromised within 48 hours,” the company noted. “The same happened to Drupal within 7 hours.”

And, unfortunately, lists of global Magento installs are readily available on the web, making it that much easier for attackers to choose the right targets.