Brace yourselves: Exploit published for serious Magento bug allowing card skimming [Updated]

Enlarge (credit: Mighty Travels / Flickr)
Attack code was published on Friday that exploits a critical vulnerability in the Magento e-commerce platform, all but guaranteeing it will be used to plant payment card skimmers on sites that have yet to install a recently released patch.
PRODSECBUG-2198 is a SQL injection vulnerability that attackers can exploit with no authentication required. Hackers could exploit the flaw to take administrative control of administrator accounts, assuming the hackers can download user names and password hashes and crack the hashes. From there, attackers could install the backdoors or skimming code of their choice. A researcher at Web security firm Sucuri said Thursday that company researchers reverse-engineered an official patch released Tuesday and successfully created a working proof-of-concept exploit.
Over the past six months, a raft of competing crime gangs has been racing to infect commerce sites with JavaScript that surreptitiously steals purchasers’ credit card data. The compromises are the result of exploits against either known or zeroday vulnerabilities. A vulnerability of this severity in an e-commerce platform that boasts 300,000 businesses and merchants is almost certainly going to face in-the-wild attacks by the same card-skimmer gangs.
Read 11 remaining paragraphs | Comments