eBay’s Magento pushes patch after credit card threat

E-commerce platform Magento has stressed its customers need to update to the latest version of its software following reports of new attacks that could expose credit card details.

Magento, an eBay-owned company e-commerce platform provider, is pushing customers to install a security update that fixes a flaw that’s come under attack by hackers after security researchers released details about the bug last week.

Security firm Check Point on Monday April 20 detailed a remotely exploitable bug that it had reported to Magento in January. Magento released a fix for the bug on February 9 under the “SUPEE-5344” update and says it had told customers then about the flaw. However, on Friday, following further reports the bug was being exploited, Magento issued another warning that reminded customers they should install the update.

Check Point’s report on Monday included proof of concept attack code, which disclosed the basics of what would be required for an attacker to exploit the bug. Another security firm, Sucuri, found evidence that hackers were attempting to exploit the bug within 24 hours of Check Point’s report being published by scanning for installations that hadn’t applied the update.

The Magento bug affects up to 200,000 e-commerce sites and more notably sites that are designed to take customer credit card numbers.

In a blog post on Friday, Magento said the bug affects Magento Enterprise Edition and Magento Community Edition. It emphasised that it “allows attackers to obtain control over a store and its sensitive data, including personal customer information.”

Attempted attacks on potentially vulnerable sites rose after Check Point’s disclosure, according to Sucuri, which had been pre-notified of Check Point’s report and warned ahead of its release that “the severity of this issue cannot be understated,” urging anyone using Magento to update immediately.

The attacks were coming from two Russian IP addresses, and were found to be injecting malicious SQL commands into input fields on a range of e-commerce sites in search of those running outdated versions of Magento, according to Sucuri.

The Friday post by Magento was the first time it acknowledged the issue on its blog, however it said that on February 9 it recommended merchants to update, and did so again to merchants and partners on April 16 — that is, ahead of Check Point’s disclosure.

Read more: Australia's online ads less fraudulent but lower quality than elsewhere

Magento also issued an update for website application firewall (WAF) providers on the weekend. Website optimisation firm CloudFlare on Saturday said all customers using its WAF "needs to click the ON button next to the “CloudFlare Magento” Group in the WAF Settings to enable protection immediately."

Magento has provided links to its update for the community and the enterprise versions of its product via its support pages. Vulnerable versions include Community Edition and Enterprise Edition.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags SUPEE-5344hackerssecurity updatee-commerceCloudFlareSucurieBay’s Magentocredit card threatwebsite application firewall (WAF)sensitive dataCSO Australiacheck pointRussian IP addresses

More about Check PointCSOeBayEnex TestLab

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place