Critical SQL injection vulnerability in Magento; update please

Magento, an Adobe-owned platform, announced the launching of an update patch to correct some critical SQL injection vulnerabilities; according to the authors of the book ‘Learn ethical hacking‘, one of these vulnerabilities is really easy to exploit, plus no authentication is required to do so.

Magento is one of the most used e-commerce platforms. According to the figures provided by the company itself, transactions were made for over $155 billion USD in Magento only for 2018. Approximately 300k companies resort to the use of this software, including Coca Cola, BevMo! (liquor retailer) and Tom Dixon (furniture retailer).

According to the authors of ‘Learn ethical hacking’, most of the reported vulnerabilities require authentication or minimum privilege levels to be exploited. However, a SQL injection vulnerability that can be exploited without the need for privileges or authentication was also detected.

An attack that does not require authentication can be really serious because the attack process can be automated. Because of this, malicious hackers can organize large-scale attacks on vulnerable platforms; these factors, along with the ease of exploitation and the possible consequences, have made this flaw especially dangerous.

The SQL injection vulnerability could be used to extract usernames and hash passwords from database implementations such as Oracle and MySQL. The authors of ‘Learn ethical hacking’ urge the company’s customers to update their systems as soon as possible to mitigate the risks of exploitation.

A group of cybersecurity specialists applied reverse engineering to the update patch to find out exactly what corrections were made. According to experts, the update flaws such as fake cross-site requests, cross-site scripting, SQL injection, and remote code injection. The experts confirmed that there is no evidence of exploitation of these vulnerabilities in the wild.

E-commerce websites are frequent victims of cyberattacks which use malware to extract payment cards data (card skimmers). Specialists have detected multiple groups of malicious hackers using these techniques to extract payment card information.

Although these are not recently developed attack tactics, the criminals have refined these methods, finding a way to enter a system and engage it stealthily; even some tools developed by third parties for marketing and data analysis work can be used to steal payment cards data.