The most popular e-commerce platform owned by eBay, Magento is once again in the news. This time for a critical Remote Code Execution (RCE) vulnerability, affecting hundreds of thousands of online merchants worldwide.
If exploited, the critical vulnerability could allow a hacker to compromise completely any online store powered by Magento and gain access to credit card details and other financial as well as personal information related to the customers.
Which isn’t great?
This serious flaw in Magento platform exploits a series of vulnerabilities that ultimately allow unauthenticated attackers to execute any PHP code of their choice on the web server.
All the vulnerabilities that lead to remote code execution (RCE) flaw are present in the Magento core code, and affect the default installation of both Magento Community and Magento Enterprise Editions.
Running arbitrary code on the web server gives attackers the ability to bypass all security mechanisms and gain complete control of the vulnerable online store and its complete database, thereby allowing credit card theft and other administrative access into the system.
The worse part:
The most disturbing part is that this vulnerability was discovered by the security researchers of Check Point research team and reported together with a list of suggested fixes to Magento back in January this year.
Without any delay, Magento also released a patch (SUPEE-5344 available here) to address the vulnerability on February 9, 2015.
However, it’s been more than two months since the release of the patch and still more than 50 percent of all the Magento websites are vulnerable to the attacks, which is worst as they are E-commerce websites.
"The vulnerability we uncovered represents a significant threat not to just one store, but to all of the retail brands that use the Magento platform for their online stores -- which represents about 30% of the ecommerce market," Check Point wrote in a blog post on Monday.
So, you need to patch your Magento site now!
Therefore, online store owners and administrators are urged to apply the patch immediately, as the impact of Magento e-commerce websites getting compromised can be devastating for all online buyers that make or has made use of a website built on the platform.
Recently, it was also discovered that the cybercriminals are malvertising legitimate Magento e-commerce website in order to send all the data, including credit card details, submitted by its customer amid checkout procedure to a third-party malicious site controlled by attackers.