A critical SQL flaw that requires no authentication and may be exploited on card skimmers is identified on Magneto eCommerce solutions used by more than 300K customers.
Bug leads to security risk: https://t.co/9Bs9RtigMN #skimming #security #Magento
— CF Webtools (@cfwebtools) March 29, 2019
Experts Comments Below:
Ilia Kolochenko, CEO at High-Tech Bridge:
“This may lead to one of the most disastrous web hacking campaigns. Magento is mostly used on trusted e-commerce websites and thus opens a door to a great wealth of sensitive PII including valid credit cards details. The most dangerous flaw is SQL injection that can be exploited without any pre-conditions, being sufficient to steal the entire database and likely take control over the vulnerable website and web server. Sophisticated malware infections may plague gutted websites once all valuable data is stolen.
Recently discovered, mass exploitation in the wild is probably a tip of the iceberg, as professional Black Hat groups could have already started the exploitation a couple of days ago or even earlier. Frequently, skilled attackers may even patch the vulnerability to preclude “competitors” from breaching the same target.
All Magento website owners should urgently update their systems and check the web server and all other available logs for IoC (indicator of compromise). In case of a merest suspicion, detailed forensics should be conducted to determine whether the system was breached. These days, cybercriminals know how to cover their tracks, however, they may unwittingly suppress too much evidence and thereby expose their presence.”
Eoin Keary, CEO and Co-founder at edgescan:
“SQL injection is still a popular technique used by cybercriminals, but it shouldn’t be, as there is more than one way to prevent it. Legacy code and poor coding practices are the main reason why this kind of web hacking is still successful.
To prevent SQL injections, developers should use a method called parameterization, which essentially causes external and user data to be treated as objects, rather than code, which is what causes SQL injection. Web Application Firewall – if appropriately configured – can also prevent SQL injection on known related vulnerabilities (which, according to the edgescan vulnerability stats report, account for 5.5% of all vulnerabilities discovered in 2018).
Finally, it is important to change the default settings of web applications, which often have a high privilege access to databases, to least privilege, which ensures some resilience against attackers.”