Year-Old Critical Magento Flaw Still Exploited, Payment Info Stolen

Orome1 writes: A whole year has passed since a critical e-shop hijacking flaw in the Magento CMS has been patched, but the vulnerability is still being exploited in attacks in the wild, warns Sucuri researcher Denis Sinegubko. At the time, the Magento development team pushed out a patch (SUPEE-5344) but after two whole months, 98,000 online merchants still hadn't implemented it. This forced the team to send out email alerts directly to the users, urging them to apply the patch immediately. Obviously, even that was not enough. Attackers are still actively deploying malware that exploits the vulnerability to inject malicious code into the Magento core file.

Helmet

We all know by now. Just take off his helmet and Professor X can get in his mind.

Re:Helmet

[Chris+Mattern]

Came to make Magneto joke, was beaten to it.

Hmmm ....

[gstoddart]

So, the oh-so-predictable "assume random e-commerce sites are security risks and don't use them"?

Now I'm shocked that everyone who hoists a storefront on the web shouldn't be trusted. No, wait, the other one.

This seems like it should have been expected, that's an awful lot of sites to assume they'd all keep up with security updates.

Re:Hmmm ....

Magento is the Wordpress of eCommerce. Free software that anyone can download, install on a server and modify/maintain/neglect as they see fit. A handy platform if you know what you are doing. A disaster waiting to happen if you don't.

I also expect that a large percentage of the "stores" out there are zombie installations that never transact any business.

Re:No mention of the merchants?

[gstoddart]

I'd like to avoid those merchants since they're potentially putting me at risk.

Are they on the internet? Then they're probably putting you at risk.

If big players like Amazon can get security breeches, that mom and pop shop which had a college student build them an e-commerce site hasn't got a chance.

Plan accordingly. Small security holes on the internet tend to get magnified into big, giant, widespread security holes.

What? Say it isn't so!

[JustAnotherOldGuy]

Headline Translation: "Users Don't Update Stuff, Film at 11"

Re:What? Say it isn't so!

[gstoddart]

And until companies bear legal liability for these kinds of things they fail to fix, assume it will keep happening.

Running an e-commerce site with a year old known flaw? Sorry, that's either negligence or incompetence. In neither case should you be trusted to run an e-commerce site.

The internet is a cesspool of terrible security, and I don't see that changing as long as companies just utterly fail to keep on top of this stuff.

Re:What? Say it isn't so!

[Grishnakh]

What's incompetent is implementing a small e-commerce site which actually handles financial data. There's simply no reason to. It's almost trivial to set up a Paypal business account which handles payment processing; the e-commerce site just sends the shipping cart over and redirects the customer to Paypal, and then the customer enters their credit card info there (or logs in), pays, and gets redirected back for order confirmation.

The only reason the e-commerce site should ever handle that data is because they're someone like Amazon and want to make it really easy for the customer to re-order stuff or buy more stuff on the same card, and also because if you're Amazon you do your own payment processing. If you're some little mom-n-pop shop, you shouldn't be thinking about any of that stuff, you should be staying far away from handling customer financial data and letting your payment processor handle it for you.

Re:What? Say it isn't so!

[JustAnotherOldGuy]

What's incompetent is implementing a small e-commerce site which actually handles financial data. There's simply no reason to. It's almost trivial to set up a Paypal business account which handles payment processing; the e-commerce site just sends the shipping cart over and redirects the customer to Paypal, and then the customer enters their credit card info there (or logs in), pays, and gets redirected back for order confirmation.

^^^^^THIS. Get a Paypal business account or use something like Authorize.net or 2CheckOut or any of a hundred other solutions.. Ecommerce is fraught with pitfalls and if Joe and Jane Sixpack do it you can almost bet they'll do it wrong. Keeping credit card numbers (a mistake I see over and over) is just plain foolish, and can subject you to some serious penalties if you screw up (or if someone screws you up).

So I agree 100%- let a well-established company handle this stuff. I have quite a few card payment forms on various sites but I never handle the transactions- customers fill in a minimal amount of info and then get forwarded to Authorize.net or 2CheckOut for the actual processing. I never see any of their card data and so I don't have to worry about keeping it secure.

Re:What? Say it isn't so!

[hairyfeet]

Exactly and its because these sites are not being held to the same standards as B&M stores and this needs to end. If a local B&M let their security get THIS lax, so money and merchandise was just walking out the store by the truckload and customers were getting robbed and their cars busted into a dozen times a day? No insurance would have anything to do with them, no suppliers would sell to them, and most importantly the CC companies would yank every card scanner they had and they would go out of business in a week.

The same needs to happen with e-commerce, the CC companies need to pull their ability to take cards, in fact I would go one further and say we need something similar to WOT or Comodo DNS blocking when it comes to e-commerce, something that will load a page when you try to go to these sites that has something like a red stop sign and "This site has been cited for not securing user data and credit information X number of times, and it has been reported that they are using software as of (this date) that is currently vulnerable to attack. Do you wish to continue?" so that the user can make a somewhat informed choice as to whether to shop there. I'm sure if this were to happen? These companies would go out of their way to fix shit REAL quick.

Re:Open source

For crying out loud, did you even read the *summary*?

Re:No mention of the merchants?

[Grishnakh]

This is exactly why sites should never handle credit card or other financial info. Decent mom-n-pop sites just use Paypal or Square or whatever, where all they do is implement a shopping cart, send the total over to the payment processor's website and redirect the user there, and then the user pays the processor (so the mom-n-pop shop never sees the CC#), then gets returned to the merchant website for confirmation.

It's easy to write the code for this, and security just isn't a big concern because the mom-n-pop site isn't handling any critical data. There's not even a need for HTTPS encryption (until they get forwarded to the payment processor). Why sites would do it any other way is beyond me; the main reason seems to be something stupid like "so the customer has a consistent experience".

Let the payment processor handle the critical data and deal with PCI compliance and all that. Don't try to do it yourself.

Re:Open source

[Grishnakh]

-1 Stupid. Read the fucking summary, open-source-hating moron.

There *is* a fix, the problem is the users haven't applied it.

And Magento is only barely "open source". There's not a single comment anywhere in their source code; it's not made to be easy for others to work with, it's only "open" so they can sell it as such, and then get customers to send them $$$ for customizations because it's too much of a PITA to do it yourself when the code is so intentionally obtuse.

They need to publish the list

[jafiwam]

So everybody knows not to use those merchants and they find themselves with their foolish SEO navel gazing efforts.

Patch Non-Production Servers As Well

I had my own run in with this bug. I'd patched my production servers, but had an unpatched development server that was publicly exposed to the Internet for testing some things with outside vendors. I didn't realize it was unpatched--just happened to install that from a backup that predated installing SUPEE-5344. It was fun to go through the system in a virtualbox after it got hacked and mess around with the "Linux.Encoder.1" ransomware they uploaded to the server. http://daviddeppner.com/blog/magento-ransomware is a Blog post I wrote about the experience.

Re:No mention of the merchants?

[Grishnakh]

So basically they do it because customers are so stupid they want a "frictionless" experience on the website rather than the security of only trusting their credit card details to a large organization that is more likely to have proper security than some random mom-n-pop website?

Upgrade mech sucks

[cdwiegand]

Too bad its update mechanism sucks balls. You can apply "patches", which I find often require fuzzy matches to work, but you can't actually UPGRADE to a newer version, you have to install that on a separate folder and database, then schedule a time to take it all down and export/import the whole database, orders, themes and all. It's crazy complex compared to Wordpress' simply Upgrade Now button.

Re:No mention of the merchants?

[Grishnakh]

Maybe I'm missing something, but what the heck are you talking about? This is about Magento, which is a PHP-based e-commerce system that runs on smallish websites. This has nothing to do with smartphone-based in-person payment systems (like you'd see at a small brick-and-mortar shop), or with Windows in any way (no one runs PHP on Windows, and you're talking about Windows-based POS, we're not talking about POS here, we're talking about web shops).

For a small mom-n-pop web shop, I don't think you're going to find a payment processor with better rates than Paypal/Square. Bigger sites with a lot of volume can find better rates, but when you're small they're generally not worth it because of the fees.