It
seems you cannot go a day without hearing about someone or some group
hacking a website or stealing credit card and other sensitive data from
e-commerce sites.
The Market of E-commerce is at its boom, and that provides even more
opportunities to hackers. There are many readymade e-commerce platforms
available on the Internet, that are easy to install and easy to manage
at no extra cost and 'Magento' is one of the most popular out of them.
Recently security researchers at Securatary have reported a critical cross-store vulnerability in the Magento platform that lets attackers to escalation privilege by creating an administrative user on any 'Gostorego' online store.
The authentication bypass vulnerability
left 200,000 merchants data vulnerable to hackers before it was
patched. To exploit the flaw, an attacker only needed to modify the HOST
header to the URI of the target account in the GET request.
They dubbed it as "Stealth mode", allow the attacker to steal
store credits and gift coupons, change the price of products and also
can manipulate a number of other things in more than 20,000 web stores. "All
these requests however “impersonate” the store owner account so action
are logged as this user and does not look so suspicious." they said.
To demonstrate the vulnerability security researcher has used Burp Suite,
which easily allows an attacker to capture the login request, change
the host entry in the header, and all other facilities for adding a new
user in targeted store.
The Security Company has reported the vulnerability to eBay, who own the Magento project and hence patched.
Source: THN
Ei kommentteja:
Lähetä kommentti