Year-Old Critical Magento Flaw Still Exploited, Payment Info Stolen 35
Orome1 writes: A whole year has passed since a critical e-shop hijacking flaw in the Magento CMS has been patched, but the vulnerability is still being exploited in attacks in the wild, warns Sucuri researcher Denis Sinegubko. At the time, the Magento development team pushed out a patch (SUPEE-5344) but after two whole months, 98,000 online merchants still hadn't implemented it. This forced the team to send out email alerts directly to the users, urging them to apply the patch immediately. Obviously, even that was not enough. Attackers are still actively deploying malware that exploits the vulnerability to inject malicious code into the Magento core file.
Helmet (Score:2, Funny)
We all know by now. Just take off his helmet and Professor X can get in his mind.
Re: (Score:2)
Came to make Magneto joke, was beaten to it.
Hmmm .... (Score:2)
So, the oh-so-predictable "assume random e-commerce sites are security risks and don't use them"?
Now I'm shocked that everyone who hoists a storefront on the web shouldn't be trusted. No, wait, the other one.
This seems like it should have been expected, that's an awful lot of sites to assume they'd all keep up with security updates.
Re: (Score:1)
Magento is the Wordpress of eCommerce. Free software that anyone can download, install on a server and modify/maintain/neglect as they see fit. A handy platform if you know what you are doing. A disaster waiting to happen if you don't.
I also expect that a large percentage of the "stores" out there are zombie installations that never transact any business.
Re: (Score:2)
Are they on the internet? Then they're probably putting you at risk.
If big players like Amazon [securityweek.com] can get security breeches, that mom and pop shop which had a college student build them an e-commerce site hasn't got a chance.
Plan accordingly. Small security holes on the internet tend to get magnified into big, giant, widespread security holes.
Re: (Score:2)
This is exactly why sites should never handle credit card or other financial info. Decent mom-n-pop sites just use Paypal or Square or whatever, where all they do is implement a shopping cart, send the total over to the payment processor's website and redirect the user there, and then the user pays the processor (so the mom-n-pop shop never sees the CC#), then gets returned to the merchant website for confirmation.
It's easy to write the code for this, and security just isn't a big concern because the mom-n
Re: (Score:2)
So basically they do it because customers are so stupid they want a "frictionless" experience on the website rather than the security of only trusting their credit card details to a large organization that is more likely to have proper security than some random mom-n-pop website?
Re: (Score:2)
Maybe I'm missing something, but what the heck are you talking about? This is about Magento, which is a PHP-based e-commerce system that runs on smallish websites. This has nothing to do with smartphone-based in-person payment systems (like you'd see at a small brick-and-mortar shop), or with Windows in any way (no one runs PHP on Windows, and you're talking about Windows-based POS, we're not talking about POS here, we're talking about web shops).
For a small mom-n-pop web shop, I don't think you're going
What? Say it isn't so! (Score:2)
Headline Translation: "Users Don't Update Stuff, Film at 11"
Re: (Score:2)
And until companies bear legal liability for these kinds of things they fail to fix, assume it will keep happening.
Running an e-commerce site with a year old known flaw? Sorry, that's either negligence or incompetence. In neither case should you be trusted to run an e-commerce site.
The internet is a cesspool of terrible security, and I don't see that changing as long as companies just utterly fail to keep on top of this stuff.
Re: (Score:2)
What's incompetent is implementing a small e-commerce site which actually handles financial data. There's simply no reason to. It's almost trivial to set up a Paypal business account which handles payment processing; the e-commerce site just sends the shipping cart over and redirects the customer to Paypal, and then the customer enters their credit card info there (or logs in), pays, and gets redirected back for order confirmation.
The only reason the e-commerce site should ever handle that data is because
Re: (Score:2)
What's incompetent is implementing a small e-commerce site which actually handles financial data. There's simply no reason to. It's almost trivial to set up a Paypal business account which handles payment processing; the e-commerce site just sends the shipping cart over and redirects the customer to Paypal, and then the customer enters their credit card info there (or logs in), pays, and gets redirected back for order confirmation.
^^^^^THIS. Get a Paypal business account or use something like Authorize.net or 2CheckOut or any of a hundred other solutions.. Ecommerce is fraught with pitfalls and if Joe and Jane Sixpack do it you can almost bet they'll do it wrong. Keeping credit card numbers (a mistake I see over and over) is just plain foolish, and can subject you to some serious penalties if you screw up (or if someone screws you up).
So I agree 100%- let a well-established company handle this stuff. I have quite a few card payment f
Re: (Score:2)
Open source (Score:1)
Isn't it open source?
Why is there no fix then?
Re: (Score:1)
Re: (Score:2)
-1 Stupid. Read the fucking summary, open-source-hating moron.
There *is* a fix, the problem is the users haven't applied it.
And Magento is only barely "open source". There's not a single comment anywhere in their source code; it's not made to be easy for others to work with, it's only "open" so they can sell it as such, and then get customers to send them $$$ for customizations because it's too much of a PITA to do it yourself when the code is so intentionally obtuse.
They need to publish the list (Score:2)
Patch Non-Production Servers As Well (Score:1)
I had my own run in with this bug. I'd patched my production servers, but had an unpatched development server that was publicly exposed to the Internet for testing some things with outside vendors. I didn't realize it was unpatched--just happened to install that from a backup that predated installing SUPEE-5344. It was fun to go through the system in a virtualbox after it got hacked and mess around with the "Linux.Encoder.1" ransomware they uploaded to the server. http://daviddeppner.com/blog/magento-ra
Upgrade mech sucks (Score:2)
Too bad its update mechanism sucks balls. You can apply "patches", which I find often require fuzzy matches to work, but you can't actually UPGRADE to a newer version, you have to install that on a separate folder and database, then schedule a time to take it all down and export/import the whole database, orders, themes and all. It's crazy complex compared to Wordpress' simply Upgrade Now button.