300,000 online retailers at risk from Magento security flaw enabling attackers to take control of ecommerce sites

Magento rushes out patch for critical vulnerability to protect open source and commercial versions of its ecommerce software

Security researchers have discovered a critical vulnerability in the Magento e-commerce platform that leaves up to 300,000 websites at risk of card-skimming attacks.

With the PRODSECBUG-2198 SQL injection vulnerability, attackers can launch devastating attacks and take full control of accounts without authentication.

By downloading and cracking the right username and password hashes, attackers are also able to skim code and install backdoors on accounts.

Magento is owned by Adobe, which scooped up the company in May 2018 in a $1.68 billion deal.

The number of active installs, the ease of exploitation, and the effects of a successful attack are what makes this vulnerability particularly dangerous

Experts at web security firm Sucuri have given the security flaw a score of 8.8 out of ten, claiming that it is "very easy" for attackers to exploit remotely.

"SQL injections allow an attacker to manipulate site arguments to inject their own commands to an SQL database (Oracle, MySQL, MariaDB, MSSQL)," wrote the firm in a post.

"Through this vulnerability, they can retrieve sensitive data from an affected site's database, including usernames and password hashes."

The company went on to say that these attacks are "very serious they can be automated" and make it easy "for hackers to mount successful, widespread attacks against vulnerable websites".

It added: "The number of active installs, the ease of exploitation, and the effects of a successful attack are what makes this vulnerability particularly dangerous."

As the Sucuri notes, the issue affects 2.1 before 2.1.17, 2.2 before 2.2.8 and 2.3 before 2.3.1 for both the open source and commercial versions of Magento.

Magento has since released security updates for SQL infections, cross-site request forgery, cross-site scripting and remote code execution.

Writing in the official advisory, Magento recommended: A SQL injection vulnerability has been identified in pre-2.3.1 Magento code.

"To quickly protect your store from this vulnerability only, install patch PRODSECBUG-2198.

"However, to protect against this vulnerability and others, you must upgrade to Magento Commerce or Open Source 2.3.1 or 2.2.8. We strongly suggest that you install these full patches as soon as you can."

Delta is a new market intelligence service from Computing to help CIOs and other IT decision makers make smarter purchasing decisions - decisions informed by the knowledge and experience of other CIOs and IT decision makers.

Delta is free from vendor sponsorship or influence of any kind, and is guided by a steering committee of well-known CIOs, such as Charles Ewen, Christina Scott, Steve Capper and Laura Meyer.

Ten crucial technology areas are already covered at launch, with more data appearing and more areas being covered every week. Sign-up here for your free trial of the Computing Delta website.