Magento, an Adobe-owned platform, announced the launching of an update patch to correct some critical SQL injection vulnerabilities; according to the authors of the book ‘Learn ethical hacking‘, one of these vulnerabilities is really easy to exploit, plus no authentication is required to do so.
Magento is one of the most used e-commerce
platforms. According to the figures provided by the company itself,
transactions were made for over $155 billion USD in Magento only for 2018.
Approximately 300k companies resort to the use of this software, including Coca
Cola, BevMo! (liquor retailer) and Tom Dixon (furniture retailer).
According to the authors of ‘Learn ethical
hacking’, most of the reported vulnerabilities require authentication or
minimum privilege levels to be exploited. However, a SQL injection
vulnerability that can be exploited without the need for privileges or
authentication was also detected.
An attack that does not require authentication
can be really serious because the attack process can be automated. Because of
this, malicious hackers can organize large-scale attacks on vulnerable
platforms; these factors, along with the ease of exploitation and the possible
consequences, have made this flaw especially dangerous.
The SQL injection vulnerability could be used
to extract usernames and hash passwords from database implementations such as
Oracle and MySQL. The authors of ‘Learn ethical hacking’ urge the company’s
customers to update their systems as soon as possible to mitigate the risks of
exploitation.
A group of cybersecurity specialists applied
reverse engineering to the update patch to find out exactly what corrections
were made. According to experts, the update flaws such as fake cross-site
requests, cross-site scripting, SQL injection, and remote code injection. The
experts confirmed that there is no evidence of exploitation of these
vulnerabilities in the wild.
E-commerce websites are frequent victims of
cyberattacks which use malware to extract payment cards data (card skimmers). Specialists
have detected multiple groups of malicious hackers using these techniques to
extract payment card information.
Although these are not recently developed
attack tactics, the criminals have refined these methods, finding a way to
enter a system and engage it stealthily; even some tools developed by third
parties for marketing and data analysis work can be used to steal payment cards
data.
