News

Magento ecommerce platform security flaw allowed access to sensitive data

Monday 1 April 2019 09:47 CET | News

Critical security vulnerabilities in Magento`s commercial and open source have allowed cybercriminals to skim credit card data of millions of online shoppers.

Over 300,000 ecommerce websites have been exposed to remote code execution, SQL injection and cross-site scripting. While many of almost three dozen vulnerabilities can be exploited only if attackers authenticate themselves on an ecommerce website, one of these vulnerabilities that allows an attacker to carry out SQL injection does not require any authentication on part of the attacker.

By carrying out SQL injection in a targeted ecommerce website that uses Magentos commercial or open source platform, attackers can inject their own commands to an SQL database and transfer sensitive data available on the database to a remote server. Such data may include credit card numbers and other personal details of people who made online purchases on the targeted site.

To patch these vulnerabilities, Magento has rushed in three new versions of its code-Commerce and Open Source 2.3.1, 2.2.8 and 2.1.17- to prevent hackers from carrying out SQL injection to gain access to sensitive data.

Ilia Kolochenko, CEO of High-Tech Bridge, said that unless ecommerce platforms immediately patch their applications with the latest patches issued by Magento, the SQL injection flaw could lead to one of the most disastrous web hacking campaigns. The most dangerous flaw is SQL injection that can be exploited without any pre-conditions, being sufficient to steal the entire database and likely take control over the vulnerable website and web server. Sophisticated malware infections may plague gutted websites once all valuable data is stolen, he warned.


Free Headlines in your E-mail

Every day we send out a free e-mail with the most important headlines of the last 24 hours.

Subscribe now

Keywords: Magento, ecommerce, sensitive data, fraud, SQL injection, cybercrime
Categories:
Countries: World