Online retailers that use eBay's e-commerce platform have been warned of a vulnerability that could enable hackers to steal credit card and customer details.
Check Point’s Malware and Vulnerability Research Group discovered the remote code execution vulnerability in eBay’s Magento platform, which it says affects nearly 200,000 online shops.
According to Check Point, the vulnerability allows any attacker to bypass security mechanisms and gain control of the store and its database, allowing credit card theft or any other administrative access into the system.
“The vulnerability we uncovered is a threat to all of the retail brands using the Magento platform for their online stores – which represents about 30% of the e-commerce market,” said Shahar Tal, malware and vulnerability research manager at Check Point Software Technologies.
Check Point privately disclosed these vulnerabilities together with a list of suggested fixes to eBay prior to public disclosure.
It recommended that online retailers apply the patch SUPEE-5344 immediately.
Read more on retail software
- The ability to accurately pinpoint where stock is at every point in the supply chain is one of the biggest challenges for retail.
- US retailer Target has agreed to pay banks issuing MasterCard up to $19m to help them recover losses suffered in the 2013 data breach.
The Magento community site urged retailers to try out all patches in a test environment before taking them live, which could delay any patching. Retailers that experience theft where credit card data is stolen could be fined by credit card issuers. Earlier in April US retailer Target agreed to pay Mastercard $19m following its massive data breach in 2013, where 40 million accounts were compromised.
Over 240,000 retailers use Magento globally. Its customers include clothing stores Mothercare, Gant, Athlete’s Foot and Harvey Nichols, and manufacturer 3M.
In February, Magento announced it would offer its enterprise customers cloud hosting on IBM’s SoftLayer cloud platform. It recently launched a free small business version of the product.
Ebay, which managed Magento, operates a responsible disclosure policy and offers bug finders a bounty of up to $10,000 for finding a major security issue.