Magento Flaw Puts Customer Databases at Risk
Building websites used to be tough. To have a web presence, a person would need to either have HTML skills themselves or to recruit a talented web designer and website builder who could create and update a website for them. Content Management Systems (CMSs) have changed that. While there remains space for skilled web designers, individuals, businesses and organizations increasingly turn to CMS platforms like WordPress that make it easy to build, manage, and modify websites and web pages without specialist technical know-how.
A CMS consists of two main parts that work seamlessly together. The first, a content management application (CMA), lets users add and manage content on their website. The second is the content delivery application (CDA) which stores the content in the CMA and makes it visible to whoever visits your website.
CMSs can also offer additional functionality, such as e-commerce features that allow people to sell products on their own dedicated e-store.
Content Management Systems have been a game-changer for tens of millions of website operators. But they’re not without their problems. CMSs, like any software, can have vulnerabilities. And, when so many independent sites are reliant on them, this means those websites inherit these CMS vulnerabilities. In many cases, users will not be aware of these vulnerabilities — which opens up sites for potential exploitation by the likes of SQL injection attacks.
Recent Magento critical flaws exposed
One example of a CMS vulnerability was given in October 2020 when Adobe alerted users to two critical flaws discovered in Magento, its open source e-commerce platform which powers more than 100,000 websites around the world.
Magento is often the subject of attacks by Magecart, a category of attack carried out by dozens of cybercriminal groups that try and gain access to Magento websites and steal sensitive data.
The Magento critical flaws revealed by Adobe — known as CVE-2020-24407 and CVE-2020-24400 — could be exploited by attackers to allow for arbitrary code execution or for them to gain illicit read or write access to databases. One of these critical flaws is referred to as an SQL injection vulnerability. This is a type of web security vulnerability allowing the attacker to see data that they are not ordinarily able to, possibly including access to sensitive users’ data. Sometimes SQL injection vulnerabilities can also allow attackers to compromise a system to change how it operates or even to carry out a denial-of-service attack.
In the case of these two flaws, Adobe said that it was not aware of any exploits that had tried to use the vulnerability to attack websites in the wild. However, the fact that Magento is so frequently targeted by hackers (and this is far from the first critical vulnerability that has been found in it) made this cause for concern for anyone who uses a Magento system — either for running a store or for simply being a customer of one.
New vulnerabilities are discovered all the time
Previous Magecart attacks have successfully stolen credit card and other sensitive data using skimming attacks. Over the past several years, Magecart has attacked big sites like British Airways, Ticketmaster, Newegg, Macy’s, and Focus Camera. They seek to inject malicious code which can go undetected for long periods of time, but can collect personal information and then send it back to the attackers.
New vulnerabilities are discovered regularly — which isn’t surprising given the enormous number of people who use and rely on these tools on a daily basis.
The good news is that vulnerabilities aren’t typically left vulnerable. Once discovered, developers spring into action to patch them and push those patches out to users. This is what Adobe did with the CVE-2020-24407 and CVE-2020-24400 critical flaws mentioned above. It classified the patch as priority 2, since they existed in a product that has regularly been targeted by attackers but which currently had no known exploits.
The challenge of patching
To benefit from these patches, users must make sure that they install the updates. The bad news is that this is often easier said than done. While installing patches can be easy, the sheer number of patches to install to keep systems up to date may be overwhelming.
They may put off installing certain patches that are deemed non-critical (or even, in some cases, critical.) In still other cases, the kind of ones users dread, there’s the risk of a zero day exploit in which hackers abuse a vulnerability that has not yet been discovered and patched by developers.
To help keep users protected, bringing in the cybersecurity experts can help. Tools like Web Application Firewalls (WAF) and Runtime Application Self-Protection (RASP) can help identify and block SQL injections and other attacks with a minimal number of false positives, both on the network and inside the applications themselves. It’s a crucial line of extra protection which makes proper cybersecurity practices more proactive on the part of users (because they are actively taking steps to enhance it) rather than passive. If you’re serious about security — as everyone should be — this is among the smartest moves you can make.
This way you get to take advantage of the significant upsides of CMSs, without having to worry about the potential vulnerabilities.
