Why the Magento XSS Bug is No Joke

Posted on the 6th February 2016

Last month, the Magento developers released a patch for a critical security flaw. This allowed an attacker to inject code into the admin panel of Magento by taking advantage of a cross-site scripting vulnerability in the email address field on the order form of the Magento ecommerce system.

The patch was made available for both the Community Edition and the Enterprise Edition of Magento 1.9.x, and for a similar XSS bug in the newer Magento 2.0. According to Magento, when a customer registered using the form on the store-front, they could provide an email address poisoned with JavaScript code. This could be used to steal the administrator’s session cookie, or perform certain actions while posing as the store administrator.

Magento is urging administrators to install the update. There are still thousands of stores that have not been patched, and it is vital that this vulnerability be fixed quickly. This is because it is one that is quite trivial to exploit, and that puts payment details, passwords, and more at risk. It is possible for ‘script kiddies’ to exploit this vulnerability using automated attacks that simply run on every Magento store that they are able to find.

There are hundreds of thousands of stores running Magento 1.9.x and Magento 2.0 and because the Community Edition is released for free, Magento themselves are not really able to keep track of how many sites are running it, and how many of them have updated to the latest SUPEE patches.

All too often, users of the Community Edition pay someone to install the script for them, then forget about the administration of the site. If they lack the in-house expertise to install security updates, then the site could go un-patched until they encounter problems; or there is a high-profile bug that causes them to seek help to upgrade to the latest version.

If you are a store owner without the expertise to upgrade, it is important that you seek help from a solutions provider, or from the Magento community, to update your store. This cross-site scripting bug is a very serious one, and it could put your customer’s personal and financial information at risk.

Installing the security update will not require extensive site downtime, and it will protect your customers from a serious threat. Act now, before hackers discover that your site is one of those that have remained un-patched.

Help is here if you need it.