Vulnerable Magento Extensions Exploited to Plant Skimmers
CYBER NEWS

Vulnerable Magento Extensions Exploited to Plant Skimmers

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Threat actors have once again targeted the Magento platform. The purpose of the campaign is planting payment card skimmers on online stores. According to security researcher Willem de Groot, at least 20 Magento extensions have been abused due to a number of unpatched zero-day vulnerabilities.




This is not the first time Groot uncovers serious Magento issues. In September, the researcher uncovered

the most successful skimming campaign, revolving around the MagentoCore skimmer. The skimmer has already infected 7,339 Magento stores in the last 6 months, thus becoming the most aggressive campaign discovered until now.

2 out of 20 Magento Vulnerable Extensions Identified

As for the current case, de Groot has successfully identified 2 of the 20 extensions and is seeking help from fellow researchers to uncover the rest. This is needed so that the zero-day flaws are patched. The good news is that he has provided a series of URL paths that have been exploited to compromise online stores running the vulnerable extensions.

While the extensions differ, the attack method is the same: PHP Object Injection(POI). This attack vector abuses PHP’s unserialize() function to inject their own PHP code into the site. With that, they are able to modify the database or any Javascript files. As of today, many popular PHP applications still use unserialize().

It appears that Magento replaced most of the vulnerable functions by json_decode() in patch 8788. Unfortunately, many of its popular extensions did not, the researcher noted in his post. As explained by Yonathan Klijnsma, a researcher at RisqIQ and one of the experts who has been helping de Groot, “core platforms tend to be pretty good, it’s just the plugins that keep messing up”.

The two identified extensions are the Webcooking_SimpleBundle Magento extension and TBT_Rewards. The developer of the first extensions has already released a fix. The second one, however, appears to have been abandoned a while ago. So, any online store which has this extension installed should immediately get rid of it.

Avatar

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...