April 9th, 2019
On Friday 29th March 2019, an attack code was released which caused extreme security vulnerability across the Magento platform. The latest bug meant that payment card skimmers could be planted throughout all Magento websites that had not been installed with the latest security patch. As a Magento Agency, we always strive to keep an eye out on every single security update, in order to prevent our clients from a security/data breach.
What is at risk with the new Magento bug?
The latest Magento security bug is called “PRODSECBUG-2198”, it is a patch to close down a SQL injection vulnerability that allows website attackers to take administrative control of all the accounts on the website. The hackers are able to download the username and password of customers. Then, they would be able to install the skimming code or ‘backdoor’ of their choice.
This effectively meant that all customer data on a site that had been breached was potentially in the hands of the hacker.
Sucuri, the well known cloud-based technology company for website security, released a reverse-engineered official patch and successfully showed a working proof of concept exploit.
Why has your Magento site caught the security bug?
The PRODSECBUG-2198 security patch released on the last Friday of March 2019, affects the following versions of Magento.
- Magento Commerce – Up to 220.127.116.11
- Magento Open Source – Up to 18.104.22.168
- Magento – Up to 2.1.17
- Magento – Up to 2.2.8
- Magento – Up to 2.3.1
If you’re looking to quickly prevent your Magento website from this vulnerability, a stand-alone patch is available for instalment; However, in order to be completely protected against all vulnerabilities, your Magento website will have to be upgraded to Magento Commerce or Open Source 2.3.1 or 2.2.8.
Click here, to check your Magento security today with our top tips!
What are SQL Injections?
SQL injections are a form of injection attack that allows website hackers to implement poisonous SQL statements. This gives control of the database server in the backend of a web application. Luckily, our bespoke development team already have familiarisation in this area and have a clear idea of what needs to be actioned.
Attackers are able to use SQL injection vulnerabilities in order to bypass the security measures put in place. Going around the authentication and authorisation of the web page, to retrieve the content of the whole SQL database. The SQL injection allows the hacker to change, add and delete records in the database.
What is clickjacking?
Clickjacking is a form of attack that tricks a website user into clicking a link on a webpage. The link is typically disguised as another element within the page. This causes the user to unknowingly download malware or malicious software. The user will believe that they are clicking a visible page; however, they are actually clicking onto an invisible element that can read card details.
There are two main types of clickjacking techniques used by attackers:
Likejacking is a technique in which the Facebook “Like” button is manipulated, this caused the users to “like” a page they actually did not intend to like.
Cursorjacking is a UI redressing technique that can change the cursor for the position the user perceives to a different position. Cursor Jacking relies on vulnerabilities in Flash and the Firefox browser. The vulnerabilities have now been fixed, preventing Cursorjacking from happening.
How to stay protected from security vulnerabilities?
Following this security bug, Magento officials have stated: As the majority of website attacks are typically targeted at software installations that are not up-to-date with the latest security updates, they strongly recommend that users install security updates as soon as they are available. To find out more about the latest security patch, click here.
Magento Security Patch Services
At Brave, we have a team of developers that live, breathe and dream of Magento (day and night). As an integrated agency, we make sure that every site we are asked to support has the most up-to-date security patches in order to mitigate security bugs and attacks. Although no site is ever truly safe from these exploits, we believe it is best to apply prevention rather than cure. The disruption to you as a business and the damage you could face from customers having issues can’t be ignored.
As a Magento Agency, we would strongly recommend that your Magento website security is checked at least once a day to ensure the risk of a security bug is kept to a minimum at all costs.
To view our portfolio of Magento websites we have built over the last 18 years of Brave, click here. To get in touch to discuss our Magento Security Patch Services, call us today on 0845 544 3626!