Check Point Software Technologies has announced that its Malware and Vulnerability Research Group recently discovered a critical remote code execution (RCE) vulnerability in eBay’s Magento Web e-commerce platform, affecting nearly 200 000 online shops around the world.
If exploited, the vulnerability gives the attacker the ability to fully compromise any online store based on the Magento platform, including credit card information and other customer financial and personal data. The vulnerability allows any attacker to bypass all security mechanisms and gain control of the store and its complete database, allowing credit card theft or any other administrative access into the system.
According to Built With, more than 880 ecommerce websites using the .co.za domain name registration use the Magento platform, placing thousands of South Africans’ information at risk. As this figure does not include .com registrations, the number of at-risk individuals could be a lot higher.
Online shopping is growing rapidly in South Africa. By the end of 2014, Internet shopping was expected to near the R6-billion mark, up from R688-million when ecommerce started on its upward trajectory in 2006. In its global survey of online shoppers, PwC found that 51% of surveyed South Africans shop online at least monthly and 55% would use digital currency.
Security becomes of critical importance in light of this rise. According to the South African Banking Risk Information Centre (SABRIC), identity theft cost South Africans over R1-billion every year while losses from credit card fraud amounted to R366,8-million in 2013.
“As online shopping continues to overpower in-store shopping, ecommerce sites are increasingly targeted by hackers as they have become a gold mine for credit card information,” says Doros Hadjizenonos, sales manager for Check Point South Africa. “The vulnerability we uncovered represents a significant threat not to just one store, but to all of the retail brands that use the Magento platform for their online stores – which represents about 30% of the ecommerce market.”
Check Point privately disclosed these vulnerabilities, together with a list of suggested fixes, to eBay prior to public disclosure. A patch to address the flaws was released on 9 February 2015 (SUPEE-5344 available here). Store owners and administrators are urged to apply the patch immediately.