April 17, 2017 By Douglas Bonderud 2 min read

Sales via e-commerce platforms are rising. In fact, Forbes noted the November and December 2016 totals alone equaled more than $110 billion worldwide. But growing technological adoption has also spurred cybercriminal activity, with attackers looking for any way to crack e-commerce security measures and steal payment data.

SecurityWeek explained one vulnerability in the popular e-commerce platform Magneto could do more than just draw cybercriminal interest: With effective execution, malicious actors could gain total control of targeted systems.

Informing the Public

DefenseCode first detected the vulnerability in November 2016, and then reported to Magneto using its bug bounty program. Although Magneto acknowledged the issue, no fix was forthcoming, and DefenseCode chose to make its discovery public.

So what’s the risk? CIO said it all starts with Vimeo. Using a built-in Magneto feature, users can add Vimeo video content to their e-commerce shop for an existing product. The platform grabs a preview image using a POST request — but it’s possible for attackers to change the command from POST to GET, paving the way for a cross-site request forgery (CSRF) attack by uploading an arbitrary file.

While these files aren’t allowed on Magneto-based e-commerce sites, they’re still saved to the site’s server, allowing attackers to easily identify the save location, then upload a malicious PHP script and an .htaccess file into the same directory. To execute the attack, fraudsters must convince any user with admin panel access to access a specially crafted webpage.

Also worth noting is that even low-privilege accounts can access the remote image retrieval function and execute the CSRF, which grants threat actors full access to system databases and potentially full system control. This currently unpatched vulnerability puts more than 250,000 sites at risk.

Safeguarding Against the Vulnerability

So how do companies increase the security of their e-commerce site? Ideally, a fix is forthcoming for the Magneto issue, which will shut down at least one potential avenue of attack. But the value of e-commerce data means that cybercriminals are constantly looking for new ways to bypass defenses or leverage seemingly innocuous functions to gain complete control.

Multichannel Merchant explained it’s critical for companies to proceed with caution and assume all traffic heading to their website is potentially malicious. This means using SSL to encrypt legitimate transactions, properly sanitizing incoming data and always using active monitoring solutions to detect emerging threats such as fileless ransomware and cross-platform malware.

The Magneto problem also highlighted the ongoing challenge of user impact in retail IT security: While code vulnerabilities make it possible for attackers to inject malicious files, it still takes user action to actually execute an attack. To stay safe, businesses should restrict the number of users with administrative access to the bare minimum, making it easier to prevent attacks and detect problems if they emerge.

It’s also a good idea to regularly remind users of potential risk. For those with the right permissions, simply visiting compromised websites may be enough to jeopardize e-commerce data.

The newly public Magneto flaw poses serious risk for e-commerce stores. With no fix available, security researchers recommended that IT administrators both enable the “Add Secret Keys to URLs” function and disallow .htacess files in specific directories. It’s not a perfect solution, but with billions in revenue on the line and attackers drawn to any weakness, it’s worth repelling them wherever and whenever possible.

More from

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today