Critical Flaws in Magento leave Millions of E-Commerce Sites at Risk

If you are using Magento to run your e-commerce website, it's time for you to update the CMS (content management system) now.

Millions of online merchants are at risk of hijacking attacks due to a number of critical cross-site scripting (XSS) vulnerabilities in the Magento, the most popular e-commerce platform owned by eBay.

Why the Bugs are So Serious?

Virtually all versions of Magento Community Edition 1.9.2.2 and earlier as well as Enterprise Edition 1.14.2.2 and earlier, are vulnerable to the Stored Cross-Site Scripting (XSS) flaws.

The stored XSS flaws are awful as they allow attackers to:

• Effectively take over a Magento-based online store
• Escalate user privileges
• Siphon customers’ data
• Steal credit card information
• Control the website via administrator accounts

However, the good news is that the vulnerabilities are patched, and an update has been made available to the public after security firm Sucuri discovered and privately reported the vulnerability to the company.

How Easy it is to Exploit the Flaw

The XSS bugs are quite easy to exploit. All an attacker need to do is embed malicious JavaScript code inside customer registration forms in place of email address.

Magento then runs and executes this email containing JavaScript code in the context of the administrator account, making it possible for an attacker to steal administrator session and completely take over the server running Magento.

Cybersecurity firm Sucuri describes the bug as the worst hole, saying:

"The buggy snippet is located inside Magento core libraries, more specifically within the administrator's backend. Unless you are behind a WAF or you have a very heavily modified administration panel, you are at risk."
"As this is a Stored XSS vulnerability, this issue could be used by attackers to take over your site, create new administrator accounts, steal client information, anything a legitimate administrator account is allowed to do."

Patch your Software Now!

To prevent websites from exploitation, webmasters are recommended to apply the latest patch bundle SUPEE-7405 as soon as possible.

Since the latest patch resolves the issue for Magento version 1.14.1 and 1.9.1 and earlier, problems impacting Magento versions 1.14.2.3 and 1.9.2.3 have already been resolved.

With Alexa top one million e-commerce websites and over all ten Million websites using the internet's fourth most popular CMS, Magento has become a valuable target for attackers nowadays.

So, patch your websites now to stay safe!

Remove vulnerable java software now.

Security issues have long tantalized over 850 Million users that have Oracle's Java software installed on their computers. The worst thing is that the software was not fully updated or secure for years, exposing millions of PCs to attack.

And for this reason, Oracle is now paying the price.

Oracle has been accused by the US government of misleading consumers about the security of its Java software.

Oracle is settling with the Federal Trade Commission (FTC) over charges that it "deceived" its customers by failing to warn them about the security upgrades.

Java is a software that comes pre-installed on many computers and helps them run web applications, including online calculators, chatrooms, games, and even 3D image viewing.

Oracle Left Over 850 Million PCs at Risk

The FTC has issued a press release that says it has won concessions in a settlement with Oracle over its failure to uninstall older and insecure Java SE software from customer PCs upon the upgrade process, which left up to 850 Million PCs susceptible to hacking attacks.

However, the company was only upgrading the most recent version of the software and ignoring the older versions that were often chock full of security loopholes that could be exploited by hackers in order to hack a targeted PC.

Oracle is Now Paying the Price

So, under the terms of the settlement with Oracle, announced by the FTC on Monday, Oracle is required to:

• Notify Java customers about the issue via Twitter, Facebook, and its official website
• Provide tools and instructions on how to remove older versions of Java software

Oracle has agreed to the settlement that is now subject to public comment for 30 days, although Oracle declined to comment on its part.

Meanwhile, the FTC wants Java users to know that if they have older versions of the software. Here is the website that will help you remove them: java.com/uninstall.

Oh Snap! Lenovo protects your Security with '12345678' as Hard-Coded Password in SHAREit

What do you expect a tech giant to protect your backdoor security with?

Holy Cow! It's "12345678" as a Hard-Coded Password.

Yes, Lenovo was using one of the most obvious, awful passwords of all time as a hard-coded password in its file sharing software SHAREit that could be exploited by anyone who can guess '12345678' password.

The Chinese largest PC maker made a number of headlines in past for compromising its customers security.

It had shipped laptops with the insecure SuperFish adware, it was caught using Rootkit to secretly install unremovable software, its website was hacked, and it was caught pre-installing Spyware on its laptops. Any of these incidences could have been easily prevented.

Now, Research center of Core Security CoreLabs issued an advisory on Monday that revealed several software vulnerabilities in Lenovo SHAREit app for Windows and Android that could result in:

• Information leaks
• Security protocol bypass
• Man-in-the-middle (MITM) attacks

Critical Vulnerabilities in SHAREit

SHAREit is a free file sharing application that is designed to allow people to share files and folders from Android devices or Windows computers over a local LAN or through a Wi-Fi hotspot that's created.

All the vulnerabilities were remotely exploitable and affected the Android 3.0.18_ww and Windows 2.5.1.1 versions of SHAREit.

 

 

Here's the list of four vulnerabilities:

• Use of Hard-coded Password [CVE-2016-1491]
• Missing Authorization [CVE-2016-1492]
• Missing Encryption of Sensitive Data [CVE-2016-1489]
• Information Exposure [CVE-2016-1490]

The first vulnerability (CVE-2016-1491) would make you scream… How Dare You!

Using '12345678' as Hard Coded Password

Lenovo was using '12345678' as a hard-coded password in SHAREit for Windows that has been awarded the title of the Third Worst Password of 2015 by the password management firm SplashData.

Here's what Core Security researchers explain:

"When Lenovo SHAREit for Windows is configured to receive files, a Wi-Fi HotSpot is set with an easy password (12345678). Any system with a Wi-Fi Network card could connect to that Hotspot by using that password. The password is always the same."

This is ridiculous especially when the passwords in any application are hard-coded and unchangeable by an average user, putting its consumers and their data at risk.

Other Critical Flaws Left Millions of Users at Risk

However, the issue got worse when the second vulnerability (CVE-2016-1492) came into play. In the second flaw, that applied only to SHAREit for Android, an open WiFi hotspot is created without any password when the app is configured to receive files.

This could have allowed an attacker to connect to that insecure WiFi hotspot and capture the data transferred between Windows and Android devices.

Also Read: Password Security — Who's to Blame for Weak Passwords? Users, Really?

This didn't end here. Both Windows and Android were open to the third flaw (CVE-2016-1489) that involved the transfer of files via HTTP without encryption.

This allowed hackers to sniff the network traffic and view the data transferred or perform Man-in-the-Middle (MitM) attacks in order to modify the content of the transferred files.

Finally, the last but not the least, fourth vulnerability (CVE-2016-1490) discovered by CoreLabs relates to the remote browsing of file systems within Lenovo ShareIt and builds upon the default 12345678 Windows password issue reported above.

"When the Wi-Fi network is on and connected with the default password (12345678), the files can be browsed but not downloaded by performing an HTTP Request to the WebServer launched by Lenovo SHAREit," says the advisory.

Patch Now!

The researchers at Core Security privately reported the flaws to Lenovo back in October last year, but the tech giant took three months to patch the flaws.

Patches for both Android as well as Windows phone are made available on the Google Play Store and here, respectively. So, SHAREit users are advised to update their apps as soon as possible.