Vulnerable Magento Extensions Exploited to Plant Skimmers

Threat actors have once again targeted the Magento platform. The purpose of the campaign is planting payment card skimmers on online stores. According to security researcher Willem de Groot, at least 20 Magento extensions have been abused due to a number of unpatched zero-day vulnerabilities.

This is not the first time Groot uncovers serious Magento issues. In September, the researcher uncovered

MagentoCore has already infected 7,339 Magento stores in the last 6 months, thus becoming the most aggressive campaign discovered by researchers.

2 out of 20 Magento Vulnerable Extensions Identified

As for the current case, de Groot has successfully identified 2 of the 20 extensions and is seeking help from fellow researchers to uncover the rest. This is needed so that the zero-day flaws are patched. The good news is that he has provided a series of URL paths that have been exploited to compromise online stores running the vulnerable extensions.

While the extensions differ, the attack method is the same: PHP Object Injection(POI). This attack vector abuses PHP’s unserialize() function to inject their own PHP code into the site. With that, they are able to modify the database or any Javascript files. As of today, many popular PHP applications still use unserialize().

It appears that Magento replaced most of the vulnerable functions by json_decode() in patch 8788. Unfortunately, many of its popular extensions did not, the researcher noted in his post. As explained by Yonathan Klijnsma, a researcher at RisqIQ and one of the experts who has been helping de Groot, “core platforms tend to be pretty good, it’s just the plugins that keep messing up”.

(Read more...)

*** This is a Security Bloggers Network syndicated blog from How to, Technology and PC Security Forum | authored by Milena Dimitrova. Read the original post at: