April 17, 2017 By Douglas Bonderud 2 min read

Sales via e-commerce platforms are rising. In fact, Forbes noted the November and December 2016 totals alone equaled more than $110 billion worldwide. But growing technological adoption has also spurred cybercriminal activity, with attackers looking for any way to crack e-commerce security measures and steal payment data.

SecurityWeek explained one vulnerability in the popular e-commerce platform Magneto could do more than just draw cybercriminal interest: With effective execution, malicious actors could gain total control of targeted systems.

Informing the Public

DefenseCode first detected the vulnerability in November 2016, and then reported to Magneto using its bug bounty program. Although Magneto acknowledged the issue, no fix was forthcoming, and DefenseCode chose to make its discovery public.

So what’s the risk? CIO said it all starts with Vimeo. Using a built-in Magneto feature, users can add Vimeo video content to their e-commerce shop for an existing product. The platform grabs a preview image using a POST request — but it’s possible for attackers to change the command from POST to GET, paving the way for a cross-site request forgery (CSRF) attack by uploading an arbitrary file.

While these files aren’t allowed on Magneto-based e-commerce sites, they’re still saved to the site’s server, allowing attackers to easily identify the save location, then upload a malicious PHP script and an .htaccess file into the same directory. To execute the attack, fraudsters must convince any user with admin panel access to access a specially crafted webpage.

Also worth noting is that even low-privilege accounts can access the remote image retrieval function and execute the CSRF, which grants threat actors full access to system databases and potentially full system control. This currently unpatched vulnerability puts more than 250,000 sites at risk.

Safeguarding Against the Vulnerability

So how do companies increase the security of their e-commerce site? Ideally, a fix is forthcoming for the Magneto issue, which will shut down at least one potential avenue of attack. But the value of e-commerce data means that cybercriminals are constantly looking for new ways to bypass defenses or leverage seemingly innocuous functions to gain complete control.

Multichannel Merchant explained it’s critical for companies to proceed with caution and assume all traffic heading to their website is potentially malicious. This means using SSL to encrypt legitimate transactions, properly sanitizing incoming data and always using active monitoring solutions to detect emerging threats such as fileless ransomware and cross-platform malware.

The Magneto problem also highlighted the ongoing challenge of user impact in retail IT security: While code vulnerabilities make it possible for attackers to inject malicious files, it still takes user action to actually execute an attack. To stay safe, businesses should restrict the number of users with administrative access to the bare minimum, making it easier to prevent attacks and detect problems if they emerge.

It’s also a good idea to regularly remind users of potential risk. For those with the right permissions, simply visiting compromised websites may be enough to jeopardize e-commerce data.

The newly public Magneto flaw poses serious risk for e-commerce stores. With no fix available, security researchers recommended that IT administrators both enable the “Add Secret Keys to URLs” function and disallow .htacess files in specific directories. It’s not a perfect solution, but with billions in revenue on the line and attackers drawn to any weakness, it’s worth repelling them wherever and whenever possible.

More from

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

What’s behind unchecked CVE proliferation, and what to do about it

4 min read - The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations' cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.Meanwhile, Coalition's 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.What’s behind…

Quishing: A growing threat hiding in plain sight

4 min read - Our mobile devices go everywhere we go, and we can use them for almost anything. For businesses, the accessibility of mobile devices has also made it easier to create more interactive ways to introduce new products and services while improving user experiences across different industries. Quick-response (QR) codes are a good example of this in action and help mobile devices quickly navigate to web pages or install new software by simply scanning an image.However, legitimate organizations aren’t the only ones…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today