Magento bug exploited to steal payment data from ecommerce websites

A “cleverly crafted layout template in the database” was found

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Cybersecurity researchers recently discovered a critical vulnerability in the Magento, one of thebest ecommerce platforms, which allowed threat actors to deploy persistent backdoors onto vulnerable servers.

Experts from Sansec published a blog post detailing a “cleverly crafted layout template in the database”, used to automatically injectmalware.

The template abused an “improper neutralization of special elements” vulnerability, now tracked as CVE-2024-20720, and carrying a severity score of 9.1 (critical).

Targeting Europeans

Targeting Europeans

Magento is an open-source e-ommerce platform written in PHP, acquired byAdobein mid-2018, for $1.68 billion. Today, more than 150,000 online stores use Magento, which is generally perceived as one of the top e-commerce platforms out there.

“Attackers combine the Magento layout parser with the beberlei/assert package (installed by default) to execute system commands,” the researchers said in their writeup. “Because the layout block is tied to the checkout cart, this command is executed whenever /checkout/cart is requested.”

The command in this case is called sed, and adds a backdoor to the CMS controller. “Clever, because the malware would be reinjected after a manual fix or a bin/magento setup:di:compile run:” they concluded.

Magento fixed the flaw with a security patch published on February 13 this year, so if you haven’t already installed it, now would be a good time.

Are you a pro? Subscribe to our newsletter

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Given Magento’s popularity, it’s no wonder that it’s a major target. One of the biggest credit card skimmers out there is called MageCart, and the last time we heard of it, threat actors have been using the tool to target websites running outdated and unsupported versions of Magento in bulk.

In February 2022, Sansec discovered more than 500 infections that occurred on the same day, with the same malware. The researchers said the attackers used the naturalfreshmalll.com domain (quickly defunct) to load the malware onto ecommerce websites running Magento 1.

This version reached its end-of-life on June 30, 2020, meaning it no longer receives regular security and usability updates, making it a perfect target for cybercriminals.

ViaTheHackerNews

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Don’t search for information on cats at work — you could be at risk of being hacked

This dangerous new malware is hitting Windows devices by hiding in games

Singapore Criterium live stream 2024: How to watch FREE UCI cycling online