Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Bug Technology

Year-Old Critical Magento Flaw Still Exploited, Payment Info Stolen 35

Orome1 writes: A whole year has passed since a critical e-shop hijacking flaw in the Magento CMS has been patched, but the vulnerability is still being exploited in attacks in the wild, warns Sucuri researcher Denis Sinegubko. At the time, the Magento development team pushed out a patch (SUPEE-5344) but after two whole months, 98,000 online merchants still hadn't implemented it. This forced the team to send out email alerts directly to the users, urging them to apply the patch immediately. Obviously, even that was not enough. Attackers are still actively deploying malware that exploits the vulnerability to inject malicious code into the Magento core file.
This discussion has been archived. No new comments can be posted.

Year-Old Critical Magento Flaw Still Exploited, Payment Info Stolen

Comments Filter:
  • Helmet (Score:2, Funny)

    by Anonymous Coward

    We all know by now. Just take off his helmet and Professor X can get in his mind.

  • So, the oh-so-predictable "assume random e-commerce sites are security risks and don't use them"?

    Now I'm shocked that everyone who hoists a storefront on the web shouldn't be trusted. No, wait, the other one.

    This seems like it should have been expected, that's an awful lot of sites to assume they'd all keep up with security updates.

    • by Anonymous Coward

      Magento is the Wordpress of eCommerce. Free software that anyone can download, install on a server and modify/maintain/neglect as they see fit. A handy platform if you know what you are doing. A disaster waiting to happen if you don't.

      I also expect that a large percentage of the "stores" out there are zombie installations that never transact any business.

  • Headline Translation: "Users Don't Update Stuff, Film at 11"

    • And until companies bear legal liability for these kinds of things they fail to fix, assume it will keep happening.

      Running an e-commerce site with a year old known flaw? Sorry, that's either negligence or incompetence. In neither case should you be trusted to run an e-commerce site.

      The internet is a cesspool of terrible security, and I don't see that changing as long as companies just utterly fail to keep on top of this stuff.

      • What's incompetent is implementing a small e-commerce site which actually handles financial data. There's simply no reason to. It's almost trivial to set up a Paypal business account which handles payment processing; the e-commerce site just sends the shipping cart over and redirects the customer to Paypal, and then the customer enters their credit card info there (or logs in), pays, and gets redirected back for order confirmation.

        The only reason the e-commerce site should ever handle that data is because

        • What's incompetent is implementing a small e-commerce site which actually handles financial data. There's simply no reason to. It's almost trivial to set up a Paypal business account which handles payment processing; the e-commerce site just sends the shipping cart over and redirects the customer to Paypal, and then the customer enters their credit card info there (or logs in), pays, and gets redirected back for order confirmation.

          ^^^^^THIS. Get a Paypal business account or use something like Authorize.net or 2CheckOut or any of a hundred other solutions.. Ecommerce is fraught with pitfalls and if Joe and Jane Sixpack do it you can almost bet they'll do it wrong. Keeping credit card numbers (a mistake I see over and over) is just plain foolish, and can subject you to some serious penalties if you screw up (or if someone screws you up).

          So I agree 100%- let a well-established company handle this stuff. I have quite a few card payment f

      • Exactly and its because these sites are not being held to the same standards as B&M stores and this needs to end. If a local B&M let their security get THIS lax, so money and merchandise was just walking out the store by the truckload and customers were getting robbed and their cars busted into a dozen times a day? No insurance would have anything to do with them, no suppliers would sell to them, and most importantly the CC companies would yank every card scanner they had and they would go out of bu

  • Isn't it open source?

    Why is there no fix then?

    • by Anonymous Coward
      For crying out loud, did you even read the *summary*?
    • -1 Stupid. Read the fucking summary, open-source-hating moron.

      There *is* a fix, the problem is the users haven't applied it.

      And Magento is only barely "open source". There's not a single comment anywhere in their source code; it's not made to be easy for others to work with, it's only "open" so they can sell it as such, and then get customers to send them $$$ for customizations because it's too much of a PITA to do it yourself when the code is so intentionally obtuse.

  • So everybody knows not to use those merchants and they find themselves with their foolish SEO navel gazing efforts.
  • by Anonymous Coward

    I had my own run in with this bug. I'd patched my production servers, but had an unpatched development server that was publicly exposed to the Internet for testing some things with outside vendors. I didn't realize it was unpatched--just happened to install that from a backup that predated installing SUPEE-5344. It was fun to go through the system in a virtualbox after it got hacked and mess around with the "Linux.Encoder.1" ransomware they uploaded to the server. http://daviddeppner.com/blog/magento-ra

  • Too bad its update mechanism sucks balls. You can apply "patches", which I find often require fuzzy matches to work, but you can't actually UPGRADE to a newer version, you have to install that on a separate folder and database, then schedule a time to take it all down and export/import the whole database, orders, themes and all. It's crazy complex compared to Wordpress' simply Upgrade Now button.

Advertising is the rattling of a stick inside a swill bucket. -- George Orwell

Working...