Last week eBay released a major security update for the Magento eCommerce platform. Store owners are advised to download and install the update as soon as possible, since it patches three security vulnerabilities.
The security issues were discovered by Hadji Samir, a researcher at Vulnerability Labs. He identified three “medium” severity flaws, which could potentially be exploited in order to gain access to sensitive account or customer data.
One of the three vulnerabilities was a CSRF flaw which could have allowed attackers to perform client-side phishing, account hijacking, and redirects. It also allowed the temporary manipulation of service modules.
eBay, the owner and developer of Magento, is extremely pro-active about fixing issues with the platform. In April, it released another patch which fixed a potential security vulnerability before it was publicly identified. The vulnerabilities were subsequently reported in a number of major publications.
Check Point Software Technologies’ Malware and Vulnerability Research Manager, Shahar Tal, noted that the vulnerabilities addressed by these security updates would otherwise have represented a significant threat to brands using the platform. The latest update is available free of charge.
A Growing eCommerce Issue
Magento has a market share of about 30 per cent of the eCommerce market. As a market leader, it is easy to understand why it has been targeted in this instance. Anyone at Microsoft will understand the issues all too well. Online shopping is now a mainstream day-to-day activity and is growing to the point where in some sectors it is overshadowing in-store commerce. This makes the associated technology attractive for hackers who are looking for high impact targets.
The existence of security flaws does not mean that Magento is inherently weak. Quite the contrary; most major platforms have had issues at some point or another. The WordPress content management system, which can be extended to create online stores via tools such as WooCommerce is another major platform that has had some serious vulnerabilities discovered on a number of recent occasions.
What really matters is the way in which the vulnerabilities are dealt with when they are discovered. eBay deserves a great deal of credit for moving so quickly to patch the vulnerabilities and to protect the users of its eCommerce software. Open source platforms have a large number of developers looking at their code and working to find bugs and vulnerabilities. This tends to pay dividends in terms of the security, reliability and overall quality of the software.
For expert advice and assistance with Magento security updates, please contact the Radweb team.