Most Magento shops get compromised via vulnerable extensions

Vulnerable third party extensions (modules) are now the main source of Magento hacks, says security researcher and Magento forensics investigator Willem de Groot.

“The method is straightforward: attacker uses an extension bug to hack into a Magento store. Once in, they download all of the other installed extensions. The attacker then searches the downloaded code for 0day security issues, such as POI, SQLi and XSS flaws. Once found, the attacker launches a global scan to find vulnerable victims. Rinse and repeat,” he explains.

The problem of vulnerable third party Magento modules

Online merchants are struggling to keep their sites clean from card-skimming malicious code because it is economically impossible to keep the many modules they use updated to the latest version all the time.

“Many extension releases are backwards incompatible, which requires costly developer hours. There is no standardized way to get notified of critical releases. And most important: merchants value stability above all, which does not fit well with a continuous upgrade policy,” he notes.

De Groot, who has been monitoring and documenting card-skimming attacks targeting Magento shops for many years, estimates that more than 3,000 stores have been hacked via insecure extensions in the last 3 months.

“I do ecommerce breach forensics for a living and about 60% of my customers had recently fallen victim due to insecure modules,” he told Help Net Security. “These merchants are quite upset, because – until now – there’s not much they could have done to prevent this.

A welcome solution

With the help of several other Magento/security professionals, de Groot has compiled the Magento Vulnerability Database, a central repository for third party Magento extensions with known security issues.

Site administrators/owners can scan their site against the repository using a Magerun module or a single-line command.

Both approaches require command line or SSH access to the server, though Magerun is recommended as it can be easily scheduled or used on an ongoing basis and apparently provides better output.

The result of the scan points out:

• The name of the vulnerable modules
• The earliest safe version to use
• Part of the URL that attackers use to exploit each module (which can be used to search logs for malicious activity)
• The URL of a web page with the explanation of the problem or the name of the researcher who discovered it
• The URL with upgrade instructions.

The Magento Vulnerability Database is aimed at discovering vulnerable modules only on Magento 1 installations.

“Right now almost all malicious activity is taking place on Magento 1 installs (95% vs 5% of store hacks). I plan to extend my vulnerability research for Magento 2 in the future, once M2 has a majority of installations. Currently 84% of the total global installs are M1,” de Groot shared.

He also pointed out that contributions to the repository are welcome, but only security issues that have verified proof or are being actively exploited in the wild should be considered.