Magento is the second largest global eCommerce platform. The company claims to have over 250,000 sites using its software transacting over US$100 billion per year. This makes Magento a lucrative target for cyber criminals. It gives them access to customers payment card data and accounts.
The company recently released a bunch of patches that deal with several vulnerabilities. Most of the vulnerabilities will not be easy to exploit. They require the attack to be authenticated and have a level of privilege on the site. One vulnerability – PRODSECBUG-2198 – a SQL Injection attack, can be launched by any attacker.
When Magento issued its patches, it made it clear that there was no known attack against this vulnerability. It didn’t take long, however, before a proof-of-concept code was published. That code came from Ambionics Security and is available on GitHub.
They were not the only company to look at this vulnerability. Security company Sucuri Services has published its own blog on this vulnerability. It claims to have reversed the official patch to create its own proof-of-concept code. However, it has declined to make that public.
What is a SQL Injection attack?
Put simply, a SQL Injection attack is where an attacker uses SQL queries to steal or damage data in a SQL database. It takes advantage of coding errors in input fields where the developer has failed to properly filter what is entered. The failure to restrict input fields is a common error in data-driven systems. However, in this case, rather than the application stopping when a user enters the wrong data, it allows the attacker to send commands to the database.
SQL Injection attacks are not new. They have been known about for decades yet they continue to appear with monotonous regularity. What is particularly worrying about this case is that it seems the vulnerability has been there for some time.
Most SQL Injection attacks focus on stealing data. In this case it would look to grab customer data including usernames, passwords and payment card data if stored in the system. While some of this should be encrypted, there is no guarantee it cannot be cracked. The usernames alone will allow the attackers to search for other passwords associated with that username and try those in a credential attack.
It is not just customer data that is at risk. It is not uncommon for companies to use a single database to store login credentials for their own staff and customers. As such, attackers could target those internal accounts to gain greater access to the system.
Customers need to patch
In addition to Magento urging customers to patch their systems, other industry experts have repeated the advice.
Ilia Kolochenko, CEO, High-Tech Bridge commented: “This may lead to one of the most disastrous web hacking campaigns. Magento is mostly used on trusted e-commerce websites and thus opens a door to a great wealth of sensitive PII including valid credit cards details. The most dangerous flaw is SQL injection that can be exploited without any pre-conditions, being sufficient to steal the entire database and likely take control over the vulnerable website and web server. Sophisticated malware infections may plague gutted websites once all valuable data is stolen.
“Recently discovered, mass exploitation in the wild is probably a tip of the iceberg, as professional Black Hat groups could have already started the exploitation a couple of days ago or even earlier. Frequently, skilled attackers may even patch the vulnerability to preclude “competitors” from breaching the same target.
“All Magento website owners should urgently update their systems and check the web server and all other available logs for IoC (indicator of compromise). In case of a merest suspicion, detailed forensics should be conducted to determine whether the system was breached. These days, cybercriminals know how to cover their tracks, however, they may unwittingly suppress too much evidence and thereby expose their presence.”
Enterprise Times: What does this mean
Magento is very aware of the risks inherent in software. As Ambionics points out, there are over 2 million lines of PHP code in the platform. However, to help spot vulnerabilities early, Magento has always had an open and active bug bounty program. Since its acquisition by Adobe, it also uses the Adobe vulnerability disclosure program. Despite this, Magento has found itself chasing bugs and discovering exploit code appearing to target customers who are slow to patch.
The risks here are very high for Magento users. Those who can apply the patch need to do so immediately. Those who rely on third-parties to develop and maintain their systems need to ensure the maintenance agreement requires immediate patching in these circumstances.
For hackers, this is a good day. It is unlikely that even the vast majority of systems will be patched within the next month. This gives them plenty of time to develop their own attacks against Magento. What will concern many is that Sucuri was able to build its proof-of-concept code quickly. Hackers won’t take any longer.