A major flaw in eBay’s Magento web commerce platform, used by many well-known online stores has been revealed.
If exploited, the vulnerability enables attackers to compromise any online store based on the Magento platform, and access credit card information and other customer financial and personal data.
The flaw bypasses all security mechanisms and gives control of the store and its complete database, allowing credit card theft and administrative access into the system.
“As online shopping continues to overpower in-store shopping, ecommerce sites are increasingly targeted by hackers as they have become a gold mine for credit card information,” said Shahar Tal, malware and vulnerability research manager at Check Point Software Technologies.
“The vulnerability we uncovered represents a significant threat not to just one store, but to all of the retail brands that use the Magento platform for their online stores – which represents about 30 per cent of the ecommerce market.”
Check Point privately disclosed these vulnerabilities together with a list of suggested fixes to eBay prior to public disclosure. A patch to address the flaws was released on 9 February 2015 (SUPEE-5344 available here). Store owners and administrators are urged to apply the patch immediately.