2018
26.10
Magento – Vulnerable add-ons allow credit card misuse

In the course of the Magecart baptized campaign criminal hackers are to search specifically for online shops on Magento basis with vulnerable add-ons. If successful, they inject code into the site through a security hole and use fake forms to extract credit card information. This is where security researcher Willem de Groot came across. In his contribution to the incidents, he warns that this is currently happening on a grand scale. In addition, it lists the vulnerable extensions for attacks and shows if there are security patches already. These include, for example, the add-ons AW AdvancedReports, Made_Cache and Webcooking_SimpleBundle. The list he claims to update, if he has new information. Information on the Gap (CVE-2016-4010) was released to the public in 2016. If attackers attack the vulnerability, they should be able to remotely push and execute PHP code on shop pages without authentication.

The Magento developers have closed the gap at the end of 2016 with the patch 8788. For some add-ons this has obviously not happened to this day. After the contribution of the security researcher but already some developers have responded and repaired their extensions. However, some add-ons are unlikely to get a patch that they deem to be in development, according to de Groot’s list. Admins who look after Magento shops should definitely look at the list and, if possible, do not disable fixed add-ons. If this does not happen, attackers could place a payment overlay in vulnerable shop systems to intercept payment data.

back