Urgent Magento Security Update – Card Skimming Magento Bug

On Friday 29th March 2019, an attack code was released which caused extreme security vulnerability across the Magento platform. The latest bug meant that payment card skimmers could be planted throughout all Magento websites that had not been installed with the latest security patch. As a Magento Agency, we always strive to keep an eye out on every single security update, in order to prevent our clients from a security/data breach.

During the last six months, a large number of fraud criminals have been pushing to infect E-commerce sites with certain types of Javascript (JS) exploits. The JS is used in order to steal customers payment data without leaving a trace. For the record, don’t for a minute think this is only a Magento issue, this kind of exploit has similar issues across other well-known platforms.

What is at risk with the new Magento bug?

The latest Magento security bug is called “PRODSECBUG-2198”, it is a patch to close down a SQL injection vulnerability that allows website attackers to take administrative control of all the accounts on the website. The hackers are able to download the username and password of customers. Then, they would be able to install the skimming code or ‘backdoor’ of their choice.

This effectively meant that all customer data on a site that had been breached was potentially in the hands of the hacker.

Sucuri, the well known cloud-based technology company for website security, released a reverse-engineered official patch and successfully showed a working proof of concept exploit.

Why has your Magento site caught the security bug?

The PRODSECBUG-2198 security patch released on the last Friday of March 2019, affects the following versions of Magento.

  • Magento Commerce – Up to 1.14.4.1
  • Magento Open Source – Up to 1.9.4.1
  • Magento – Up to 2.1.17
  • Magento – Up to 2.2.8
  • Magento – Up to 2.3.1

If you’re looking to quickly prevent your Magento website from this vulnerability, a stand-alone patch is available for instalment; However, in order to be completely protected against all vulnerabilities, your Magento website will have to be upgraded to Magento Commerce or Open Source 2.3.1 or 2.2.8.

Click here, to check your Magento security today with our top tips!

What are SQL Injections?

SQL injections are a form of injection attack that allows website hackers to implement poisonous SQL statements. This gives control of the database server in the backend of a web application. Luckily, our bespoke development team already have familiarisation in this area and have a clear idea of what needs to be actioned.

Attackers are able to use SQL injection vulnerabilities in order to bypass the security measures put in place. Going around the authentication and authorisation of the web page, to retrieve the content of the whole SQL database. The SQL injection allows the hacker to change, add and delete records in the database.

What is clickjacking?

Clickjacking is a form of attack that tricks a website user into clicking a link on a webpage. The link is typically disguised as another element within the page. This causes the user to unknowingly download malware or malicious software. The user will believe that they are clicking a visible page; however, they are actually clicking onto an invisible element that can read card details.

There are two main types of clickjacking techniques used by attackers:

Likejacking

Likejacking is a technique in which the Facebook “Like” button is manipulated, this caused the users to “like” a page they actually did not intend to like.

Cursorjacking

Cursorjacking is a UI redressing technique that can change the cursor for the position the user perceives to a different position. Cursor Jacking relies on vulnerabilities in Flash and the Firefox browser. The vulnerabilities have now been fixed, preventing Cursorjacking from happening.

How to stay protected from security vulnerabilities?

Following this security bug, Magento officials have stated: As the majority of website attacks are typically targeted at software installations that are not up-to-date with the latest security updates, they strongly recommend that users install security updates as soon as they are available. To find out more about the latest security patch, click here.

Magento Security Patch Services

At Brave, we have a team of developers that live, breathe and dream of Magento (day and night). As an integrated agency, we make sure that every site we are asked to support has the most up-to-date security patches in order to mitigate security bugs and attacks. Although no site is ever truly safe from these exploits, we believe it is best to apply prevention rather than cure. The disruption to you as a business and the damage you could face from customers having issues can’t be ignored.

As a Magento Agency, we would strongly recommend that your Magento website security is checked at least once a day to ensure the risk of a security bug is kept to a minimum at all costs.

To view our portfolio of Magento websites we have built over the last 18 years of Brave, click here. To get in touch to discuss our Magento Security Patch Services, call us today on 0845 544 3626!

Written by Gareth Torrance

Hello there. I'm Gareth, the Search Engine Marketing Lead at Brave. With almost a decade of experience in PPC and SEO, I've seen everything from Pandas and Penguins to the horrible time that was Mobilegeddon. As a Google Ads Certified Google Specialist, I have lived through almost every major shift in the industry! And that makes me feel old.

RAR+
Google Partner
Facebook Marketing Partner
Bing Ads
Magento
Wordpress