Urgent Magento Security Update – Card Skimming Magento Bug

On Friday 29th March 2019, an attack code was released which caused extreme security vulnerability across the Magento platform. The latest bug meant that payment card skimmers could be planted throughout all Magento websites that had not been installed with the latest security patch. As a Magento Agency, we always strive to keep an eye out on every single security update, in order to prevent our clients from a security/data breach.

During the last six months, a large number of fraud criminals have been pushing to infect E-commerce sites with certain types of Javascript (JS) exploits. The JS is used in order to steal customers payment data without leaving a trace. For the record, don’t for a minute think this is only a Magento issue, this kind of exploit has similar issues across other well-known platforms.

What is at risk with the new Magento bug?

The latest Magento security bug is called “PRODSECBUG-2198”, it is a patch to close down a SQL injection vulnerability that allows website attackers to take administrative control of all the accounts on the website. The hackers are able to download the username and password of customers. Then, they would be able to install the skimming code or ‘backdoor’ of their choice.

This effectively meant that all customer data on a site that had been breached was potentially in the hands of the hacker.

Sucuri, the well known cloud-based technology company for website security, released a reverse-engineered official patch and successfully showed a working proof of concept exploit.

Why has your Magento site caught the security bug?

The PRODSECBUG-2198 security patch released on the last Friday of March 2019, affects the following versions of Magento.

  • Magento Commerce – Up to 1.14.4.1
  • Magento Open Source – Up to 1.9.4.1
  • Magento – Up to 2.1.17
  • Magento – Up to 2.2.8
  • Magento – Up to 2.3.1

If you’re looking to quickly prevent your Magento website from this vulnerability, a stand-alone patch is available for instalment; However, in order to be completely protected against all vulnerabilities, your Magento website will have to be upgraded to Magento Commerce or Open Source 2.3.1 or 2.2.8.

Click here, to check your Magento security today with our top tips!

What are SQL Injections?

SQL injections are a form of injection attack that allows website hackers to implement poisonous SQL statements. This gives control of the database server in the backend of a web application. Luckily, our bespoke development team already have familiarisation in this area and have a clear idea of what needs to be actioned.

Attackers are able to use SQL injection vulnerabilities in order to bypass the security measures put in place. Going around the authentication and authorisation of the web page, to retrieve the content of the whole SQL database. The SQL injection allows the hacker to change, add and delete records in the database.

What is clickjacking?

Clickjacking is a form of attack that tricks a website user into clicking a link on a webpage. The link is typically disguised as another element within the page. This causes the user to unknowingly download malware or malicious software. The user will believe that they are clicking a visible page; however, they are actually clicking onto an invisible element that can read card details.

There are two main types of clickjacking techniques used by attackers:

Likejacking

Likejacking is a technique in which the Facebook “Like” button is manipulated, this caused the users to “like” a page they actually did not intend to like.

Cursorjacking

Cursorjacking is a UI redressing technique that can change the cursor for the position the user perceives to a different position. Cursor Jacking relies on vulnerabilities in Flash and the Firefox browser. The vulnerabilities have now been fixed, preventing Cursorjacking from happening.

How to stay protected from security vulnerabilities?

Following this security bug, Magento officials have stated: As the majority of website attacks are typically targeted at software installations that are not up-to-date with the latest security updates, they strongly recommend that users install security updates as soon as they are available. To find out more about the latest security patch, click here.

Magento Security Patch Services

At Brave, we have a team of developers that live, breathe and dream of Magento (day and night). As an integrated agency, we make sure that every site we are asked to support has the most up-to-date security patches in order to mitigate security bugs and attacks. Although no site is ever truly safe from these exploits, we believe it is best to apply prevention rather than cure. The disruption to you as a business and the damage you could face from customers having issues can’t be ignored.

As a Magento Agency, we would strongly recommend that your Magento website security is checked at least once a day to ensure the risk of a security bug is kept to a minimum at all costs.

To view our portfolio of Magento websites we have built over the last 18 years of Brave, click here. To get in touch to discuss our Magento Security Patch Services, call us today on 0845 544 3626!

Written by Kieran Delpech

I'm Kieran, I am a Search Engine Marketing Executive at Brave Agency. I basically live in Google Analytics and Google Adwords, analysing the data and fixing the issues on websites and campaigns. I have a huge focus on getting the best ROI out of everything that I do and love to keep up to date on the latest and greatest SEO and PPC changes, technical advancements and algorithms.

RAR+
Google Partner
IDM
Bing Ads
Brightpearl Partner
Marketing Society