Magneto Vulnerability: Cybercriminals Drawn to E-commerce Exploit
Sales via e-commerce platforms are rising. In fact, Forbes noted the November and December 2016 totals alone equaled more than $110 billion worldwide. But growing technological adoption has also spurred cybercriminal activity, with attackers looking for any way to crack e-commerce security measures and steal payment data.
SecurityWeek explained one vulnerability in the popular e-commerce platform Magneto could do more than just draw cybercriminal interest: With effective execution, malicious actors could gain total control of targeted systems.
Informing the Public
DefenseCode first detected the vulnerability in November 2016, and then reported to Magneto using its bug bounty program. Although Magneto acknowledged the issue, no fix was forthcoming, and DefenseCode chose to make its discovery public.
So what’s the risk? CIO said it all starts with Vimeo. Using a built-in Magneto feature, users can add Vimeo video content to their e-commerce shop for an existing product. The platform grabs a preview image using a POST request — but it’s possible for attackers to change the command from POST to GET, paving the way for a cross-site request forgery (CSRF) attack by uploading an arbitrary file.
While these files aren’t allowed on Magneto-based e-commerce sites, they’re still saved to the site’s server, allowing attackers to easily identify the save location, then upload a malicious PHP script and an .htaccess file into the same directory. To execute the attack, fraudsters must convince any user with admin panel access to access a specially crafted webpage.
Also worth noting is that even low-privilege accounts can access the remote image retrieval function and execute the CSRF, which grants threat actors full access to system databases and potentially full system control. This currently unpatched vulnerability puts more than 250,000 sites at risk.
Safeguarding Against the Vulnerability
So how do companies increase the security of their e-commerce site? Ideally, a fix is forthcoming for the Magneto issue, which will shut down at least one potential avenue of attack. But the value of e-commerce data means that cybercriminals are constantly looking for new ways to bypass defenses or leverage seemingly innocuous functions to gain complete control.
Multichannel Merchant explained it’s critical for companies to proceed with caution and assume all traffic heading to their website is potentially malicious. This means using SSL to encrypt legitimate transactions, properly sanitizing incoming data and always using active monitoring solutions to detect emerging threats such as fileless ransomware and cross-platform malware.
The Magneto problem also highlighted the ongoing challenge of user impact in retail IT security: While code vulnerabilities make it possible for attackers to inject malicious files, it still takes user action to actually execute an attack. To stay safe, businesses should restrict the number of users with administrative access to the bare minimum, making it easier to prevent attacks and detect problems if they emerge.
It’s also a good idea to regularly remind users of potential risk. For those with the right permissions, simply visiting compromised websites may be enough to jeopardize e-commerce data.
The newly public Magneto flaw poses serious risk for e-commerce stores. With no fix available, security researchers recommended that IT administrators both enable the “Add Secret Keys to URLs” function and disallow .htacess files in specific directories. It’s not a perfect solution, but with billions in revenue on the line and attackers drawn to any weakness, it’s worth repelling them wherever and whenever possible.