eBay security hole could hurt SA sites

Check Point Software has announced that its malware and research department has discovered a vulnerability in e-Bay’s Magneto web e-commerce platform that affects nearly 200 000 online shops world wide – some even in South Africa.

Check Point Software Technologies, has announced that its malware and vulnerability Research Group recently discovered a critical remote code execution (RCE) vulnerability in eBay’s Magento web e-commerce platform, affecting nearly 200 000 online shops around the world – including many in South Africa.

If exploited, the vulnerability gives the attacker the ability to fully compromise any online store based on the Magento platform, including credit card information and other customer financial and personal data. The vulnerability allows any attacker to bypass all security mechanisms and gain control of the store and its complete database, allowing credit card theft or any other administrative access into the system.

According to Built With, more than 880 e-commerce websites using the .co.za domain name registration use the Magento platform, placing thousands of South Africans’ information at risk. As this figure does not include .com registrations, the number of at-risk individuals could be a lot higher.

Online shopping is growing rapidly in South Africa. By the end of 2014, according to World Wide Worx, Internet shopping was expected to near the R6 billion mark, up from R688 million when e-commerce started on its upward trajectory in 2006.

Security becomes of critical importance in light of this rise. According to the South African Banking Risk Information Centre (SABRIC), identity theft cost South Africans over R1 billion every year while losses from credit card fraud amounted to R366.8 million in 2013.

As online shopping continues to overpower in-store shopping, ecommerce sites are increasingly targeted by hackers as they have become a gold mine for credit card information,” said Doros Hadjizenonos, sales manager for Check Point South Africa. “The vulnerability we uncovered represents a significant threat not to just one store, but to all of the retail brands that use the Magento platform for their online stores – which represents about 30% of the ecommerce market.

Check Point privately disclosed these vulnerabilities, together with a list of suggested fixes, to eBay prior to public disclosure. A patch to address the flaws was released on February 9, 2015 (SUPEE-5344 available here). Store owners and administrators are urged to apply the patch immediately.

Check Point customers are already protected from exploitation attempts of this vulnerability through the IPS software blade. For more information, please visit our blog.

Check Point’s Threat Intelligence & Research divisions regularly investigate attacks, vulnerabilities and breaches, and develop protections to secure its customers. For more information on other research findings from Check Point, visit: http://www.checkpoint.com/threatcloud-central/.

* Follow Gadget on Twitter on @GadgetZA