Check Point Software Technologies, today announced that their Malware and Vulnerability Research Group recently discovered a critical RCE (remote code execution) vulnerability in eBay’s Magento web ecommerce platform, affecting nearly two hundred thousand online shops.
If exploited, the vulnerability gives the attacker the ability to fully compromise any online store based on the Magento platform, including credit card information and other customer financial and personal data. The vulnerability allows any attacker to bypass all security mechanisms and gain control of the store and its complete database, allowing credit card theft or any other administrative access into the system.
Shahar Tal, Vulnerability Research Manager said :
“As online shopping continues to overpower in-store shopping, ecommerce sites are increasingly targeted by hackers as they have become a gold mine for credit card information,”
Check Point privately disclosed these vulnerabilities together with a list of suggested fixes to eBay prior to public disclosure. A patch to address the flaws was released on February 9, 2015 (SUPEE-5344 available here).
Store owners and administrators are urged to apply the patch immediately.
