Ecommerce platform Magento is “strongly” recommending that its customers install its latest security patches, with hackers exploiting a recently disclosed remote code execution vulnerability on unpatched shopping sites to steal card details.
Magento, bought by Adobe for $1.68 billion in May 2018, is an open-source ecommerce platform through which users build online stores, making it a ripe target for threat actors looking to steal shoppers’ financial credentials.
Magento-powered stores have previously been widely hit by the so-called Magecart threat group(s), which exploit code vulnerabilities in the platform to layer fake payments pages on ecommerce sites, then skim payments.
Read this: Magecart’s 7 Groups: Hackers Dropping Counter-Intelligence Code in JavaScript Skimmers
The platform is warning users that Magento Commerce v2.3.1 and Page Builder Beta are in urgent need of a security update.
Otherwise attackers can “enable an unauthenticated user to insert a malicious payload into a merchant’s site and execute it.”
The security alert comes after Magento released a patch for the vulnerability CVE-2019-8144, a remote code execution exploit that allows hackers to inject malicious payloads into Magento via PageBuilder template manipulations.
The E-commerce platform pushed out patches for the vulnerability at the beginning of October, but are warning all merchants this week afresh to make sure they have installed the latest security updates.
Content from our partners
Prime Target
Magento sites continue to be low hanging fruit for attackers.
As the UK’s National Cyber Security Centre (NCSC)’s annual report notes, the agency shut down 1,102 attacks running skimming code on the platform. “They [Hackers] had written malicious JavaScript code which copied all credit card transactions and silently sent the results to domains controlled by them.”
Once users have applied the latest security updates Magento is strongly recommending that everyone assesses the security of their Magento site to confirm that it was not potentially compromised before upgrading: “Applying this hot fix…will help defend your store against potential attacks going forward, but will not address the effects of an earlier attack.”
Magento Security Warning Recommendations
For customers running Magento 2.3.1—
- Install the MDVA-22979_EE_2.3.1_v1 patch now, and then schedule your upgrade to 2.3.3 or 2.3.2-p2 as soon as possible.
- Review your site and your server for signs of potential compromise.
- Please note that editing an email template will not work as expected after the MDVA-22979_EE_2.3.1_v1 patch has been applied. However, this feature still works as expected from the email templates grid.
For customers running Magento 2.3.2 —
- Install MDVA-22979_EE_2.3.2_v1 patch now, then schedule your upgrade to 2.3.3 or 2.3.2-p2 as soon as possible.
- Review your site and your server for signs of potential compromise.
- “Merchants running unsupported versions of Page Builder, such as Page Builder Beta, should follow the instructions for the version of Magento 2.3.x they are running.”
In an advisory note to Magento Commerce Cloud customers, the platform states that due to security measures implemented to block this vulnerability administrators will not be able to view previews for products, blocks and dynamic blocks.
Magento is working on this issue.
