Setting the Record Straight 2015
July 2, 2015
A little less than a week ago, Sucuri posted an article detailing an eCommerce vulnerability, using a hack involving a Magento site as an example, and could be interpreted that there is a new core vulnerability being exploited to affect these hacks.
What you need to know:
This kind of hack is not new; it has been affecting PHP Web apps for several years and is not limited to eCommerce sites
We appreciate what researchers, like Sucuri, are doing to elevate the visibility of potential threats to help keep eCommerce safe and secure. We encourage them to continue probing potential threats and sharing information with Magento and the public
Another recent article, titled "eBay patches input, XSS, CSRF vulnerabilities in Magento e-commerce platform", needs some further clarification. While the title implies that Magento software was patched, the vulnerabilities mentioned involve the Magento.com website and a third-party theme which is not owned, supported, or maintained by Magento. The good news: the Magento.com issues were promptly patched and the maintainer of the theme has been notified of the vulnerability. The disclosures—which are linked from the article—clearly demonstrate that these issues had absolutely nothing to do with the Magento platform.
During the past week, there have been several follow-up pieces which sensationalize and misinterpret the contents of these two articles. Please know that these articles contain no new substantive information, and no new vulnerabilities or bugs are being presented. Magento will continue to handle credible vulnerabilities with due swiftness and visibility, including posts at the Magento Security portal as well as social media broadcasts. The security of the Magento platform is our top priority.
What can you do to keep your site secure?
Magento encourages merchants to have an active dialogue on security between their infrastructure partners and the systems integrators that design their web stores. Please take a moment to confirm you’re using best practices with regard to your admin passwords. We encourage all merchants to have strong admin passwords in place and to change them often. It is possible for attackers to take advantage of weak or leaked passwords to do things like install extensions with malicious code. Additionally, you should be sure to disable remote access to Magento Connect Manager and Downloader on production sites or restrict it to safe IP addresses, and regularly check your list of extensions and logs for suspicious activity.