A flaw in eBay’s Magento web commerce platform, used by many well-known online stores, will allow hackers to access credit card information and other customer financial and personal data. The vulnerability leaves millions of credit cards and online shoppers at risk.
If exploited, attackers can compromise any online store based on the Magento platform, meaning that this affects nearly two hundred thousand online shops. The flaw, which is a remote code execution vulnerability, bypasses all security mechanisms and gives control of the store and its complete database, allowing credit card theft and administrative access into the system.
“As online shopping continues to overpower in-store shopping, ecommerce sites are increasingly targeted by hackers as they have become a gold mine for credit card information,” said Shahar Tal, malware and vulnerability research manager at Check Point Software Technologies.
The Magento Community Edition is open-source e-commerce software, and can be downloaded for free. Developers can modify the core code and add features and functionality by installing extensions from the Magento Connect marketplace.
“The vulnerability we uncovered represents a significant threat not to just one store, but to all of the retail brands that use the Magento platform for their online stores—which represents about 30% of the ecommerce market,” Tal added.
Check Point privately disclosed these vulnerabilities together with a list of suggested fixes to eBay prior to public disclosure. Store owners and administrators are urged to apply the patch that eBay has prepared, immediately.