Software flaw puts thousands of Magento sites at risk

A new vulnerability that could enable hackers to steal credit card and customer details using e-commerce platform Magento has been found

Online retailers that use eBay's e-commerce platform have been warned of a vulnerability that could enable hackers to steal credit card and customer details.

Check Point’s Malware and Vulnerability Research Group discovered the remote code execution vulnerability in eBay’s Magento platform, which it says affects nearly 200,000 online shops.

According to Check Point, the vulnerability allows any attacker to bypass security mechanisms and gain control of the store and its database, allowing credit card theft or any other administrative access into the system.

“The vulnerability we uncovered is a threat to all of the retail brands using the Magento platform for their online stores – which represents about 30% of the e-commerce market,” said Shahar Tal, malware and vulnerability research manager at Check Point Software Technologies.

Check Point privately disclosed these vulnerabilities together with a list of suggested fixes to eBay prior to public disclosure.

It recommended that online retailers apply the patch SUPEE-5344 immediately.

Read more on retail software

The Magento community site urged retailers to try out all patches in a test environment before taking them live, which could delay any patching. Retailers that experience theft where credit card data is stolen could be fined by credit card issuers. Earlier in April US retailer Target agreed to pay Mastercard $19m following its massive data breach in 2013, where 40 million accounts were compromised.

Over 240,000 retailers use Magento globally. Its customers include clothing stores Mothercare, Gant, Athlete’s Foot and Harvey Nichols, and manufacturer 3M.

In February, Magento announced it would offer its enterprise customers cloud hosting on IBM’s SoftLayer cloud platform. It recently launched a free small business version of the product.

Ebay, which managed Magento, operates a responsible disclosure policy and offers bug finders a bounty of up to $10,000 for finding a major security issue.

Read more on Application security and coding requirements