Magento CE Web Stores and Security Vulnerabilities: Are They Real?

In April this year, security audit company DefenseCode found a zero-day vulnerability in the popular web store platform Magento. This generated a lot of hype, and a lot has been written about it since. Was this threat real? Has it been fixed already? How do Magento users know they are not at risk? We’re here to try and shed some light on this issue once and for all.

The Vulnerability Explained

DefenseCode detected this zero-day vulnerability for versions 2.1.6/2.0.14 and below of Magento Community Edition (CE, now Magento Open Source). Although the Enterprise Edition (EE, now Magento Commerce) was not tested, the underlying faulty code is shared between the two Magento flavors, so the vulnerability is also present in Enterprise Edition for the version numbers mentioned above.

This threat was not detected for Magento 1, which means that Magento clients using versions 1.9.X.X don’t need to worry about this specific issue. So, what was the issue, specifically?

The exploit is related to adding Vimeo video content to any product on your store. Usually, the system will automatically download a preview image for the video through an URL link for validation. But even if the image file is invalid, it is still downloaded and not removed afterward.

For the affected versions of Magento, this fact could be used by hackers to point the URL link to a fake file. As this file is left on the server after being rejected, it can be accessed remotely and be used to target an admin panel user, even if the user does not have admin privileges. After that, the user can be enticed to visit a malicious website that completely opens up the server for further hacking.

This method of pointing the URL to a fake file is usually called a Cross-Site Request Forgery (CSRF). In a CSRF attack, the end user is forced to execute unwanted actions on a web application that trusts the user, which is to say, an application on which they are currently authenticated.

This hack also involved a procedure called Remote Code Execution. This happens when the fake file is downloaded to the server. It is a Remote Code Execution because the hacker can make the server run the commands contained in the file from a remote machine.

The Solution

A hole in software such as this is also called a zero-day vulnerability when it is unknown to the software vendor. This is what happened here when security company DefenseCode detected the hole. They then proceeded to report it to Magento.

Shortly afterward, Magento responded to the issue with an email promising to address the threat in their 2.1.7 release, which was targeted for May. Furthermore, they advised their users to use the “Add Secret Key to URLs” feature in order to minimize the risks. Here is an excerpt from the email:

(…) In addition, this vulnerability will be addressed in our next release targeted for early May. Until then, we recommend enforcing the use of “Add Secret Key to URLs” to mitigate potential attacks. To turn on this feature:

1. Logon to Merchant Site Admin URL (e.g., your domain.com/admin)

2. Click on Stores > Configuration > ADVANCED > Admin > Security > Add Secret Key to URLs

3. Select YES from the dropdown options

4. Click on Save Config

In fact, Magento kept their promise and fixed the issue in their versions 2.0.14 and 2.1.7 released in May. In their release notes, you can see it identified as “APPSEC-1679: APIs vulnerable to CSRF”, with the description: “Some customer authenticated APIs are vulnerable to CSRF, allowing phishing attacks.”

So, bottom line is, this vulnerability was real, but it has already been fixed by the Magento team. So, as long as you are using Magento versions 2.0.14/2.1.7 or higher, you should be safe. Remember that Magento 1.9.X.X did not have this vulnerability in the first place.

General Security Tips

Even if this vulnerability has already been fixed, there are some steps you can take to make sure your website is always as safe as possible. First of all, you should always be using the latest software. As we’ve seen, this might not have solved the CSRF issue while it was still zero-day, but Magento’s team were quick to address it and it was solved in little more than a month after being reported.

Something else you can do, besides using a strong password, is to implement two-factor authentication. Many websites are using this process nowadays, and in Magento, there are several extensions that provide it. Usually, it works by introducing a code that is given by a smartphone app, and adds an extra layer of security.

Another tip that you’ll see sometimes is to change your Magento admin path from your-site.com/admin to your-site.com/[something-else]. This prevents hackers from accessing your admin panel and try to guess your password, or even if they somehow know the password, because they won’t find the admin path so easily. To change the path, go to the file /app/etc/local.xml in your Magento directory. Open the file and find “<![CDATA[admin]]>”. Here, change “admin” to the expression you desire.

Check Your Website’s Security

There are more security tips you can follow to have a secure web store, but we won’t cover them here. You may also be wondering, “how to I know if my website is already secure?” There are actually a few ways to know.

One way is through auditing. There are some companies that can do an audit to your website. Having an experienced developer look at the source code can help identify security flaws or other performance issues, if they exist.

There are also some websites that allow you to submit the URL of your own web store for a security scan. These services will scan your website for known security flaws and vulnerabilities and show you a report afterward. If your store does have any security holes, the report will hopefully help you identify them and then see what you can do about each one.

Wrapping Up

The claims by DefenseCode earlier this year regarding the vulnerabilities of Magento Community Edition webs stores were justified. However, the Magento team has already solved this issue, which is no longer present in most recent versions of the platform.

You should keep security in mind and take some steps to ensure your web store is a safe place. This will be good not only for yourself but also your customers.