Security News

Over 2800 e-Shops Running Outdated Magento Software Hit by Credit Card Hackers
2020-11-11 02:50

A wave of cyberattacks against retailers running the Magento 1.x e-commerce platform earlier this September has been attributed to one single group, according to the latest research. Collectively called Cardbleed, the attacks targeted at least 2,806 online storefronts running Magento 1.x, which reached end-of-life as of June 30, 2020.

Adobe Patches 9 Vulnerabilities in Magento
2020-10-20 08:33

Adobe last week patched a total of nine vulnerabilities in its Magento e-commerce platform, including two critical issues. The vulnerabilities rated critical have been described as a "File upload allow list bypass" that can lead to arbitrary code execution, and an SQL injection flaw that can provide an attacker read or write access to the targeted store's database.

Magento, Visual Studio Code users: You need to patch!
2020-10-19 13:24

Microsoft and Adobe released out-of-band security updates for Visual Studio Code, the Windows Codecs Library, and Magento. Microsoft has fixed CVE-2020-17023, a remote code execution vulnerability in Visual Studio Code, its free and extremely popular source-code editor that's available for Windows, macOS and Linux.

Critical Magento Holes Open Online Shops to Code Execution
2020-10-15 20:59

Two critical flaws in Magento - Adobe's e-commerce platform that is commonly targeted by attackers like the Magecart threat group - could enable arbitrary code execution on affected systems. Retail is set to boom in the coming months - between this week's Amazon Prime Day and November's Black Friday - which puts pressure on Adobe to rapidly patch up any holes in the popular Magento open-source platform, which powers many online shops.

Russian hacker selling how-to vid on exploiting unsupported Magento installations to skim credit card details for $5,000
2020-09-15 13:29

Thousands of e-commerce stores built using Magento 1 have been poisoned with malicious code that steals customers' bank card information as they enter their details to order stuff online. Sansec, a software company focused on these so-called "Digital skimming" attacks, discovered that 1,904 cyber-shops had been altered by miscreants over the weekend to include malicious JavaScript that siphoned off folks' card info.

Hundreds of Magento Stores Hacked Daily in Major Skimming Campaign
2020-09-14 15:36

Thousands of Magento-powered online stores have been hacked over the past few days as part of a skimming campaign that has been described as the "Largest ever." Sansec on Monday reported seeing nearly 2,000 Magento stores that have been compromised as part of this campaign since Friday - over 1,000 stores were hacked on Saturday, more than 600 on Sunday, and over 200 so far on Monday.

Magento Sites Vulnerable to RCE Stemming From Magmi Plugin Flaws
2020-09-01 20:19

Satnam Narang, staff research engineer at Tenable, told Threatpost that researchers can't definitively say how many Magento sites are vulnerable - however, they were able to identify at least 1,500 websites indexed through search engines that use the Magmi plugin. The second, now patched flaw, CVE-2020-5777, is an authentication bypass flaw in Magmi for Magento version 0.7.23 and below.

Critical Magento Flaws Allow Code Execution
2020-07-29 21:22

Critical flaws in Adobe's Magento e-commerce platform - which is commonly targeted by attackers like the Magecart cybergang - could enable arbitrary code execution on affected systems. Adobe on Tuesday released security updates for flaws affecting Magento Commerce 2 and Magento Open Source 2, versions 2.3.5-p1 and earlier.

Tuesday’s Magento 1 EOL Leaves Clock Ticking on 100K Online Stores
2020-06-29 18:56

With Magento 1 reaching end-of-life on Tuesday, Adobe is making a last-ditch effort to urge the 100,000 online stores still running the outdated version to migrate to Magento 2. Adobe is pulling the plug on security fixes for Magento Commerce 1.14 and Magento Open Source 1.

Magento 1 reaches EOL: Merchants urged to upgrade or risk breaches, falling out of PCI DSS compliance
2020-06-29 11:09

When Adobe released security updates for Magento last week, it warned that the Magento 1.x branch is reaching end-of-life and support on June 30, 2020, and that those were the final security patches available for Magento Commerce 1.14 and Magento Open Source 1. "If you have a store that continues to run on Magento 1 after June 30, please be aware that from that date forward you have increased responsibility for maintaining your site's security and PCI DSS compliance," Adobe warned.