Magento is turning to the dark side

If you weren’t paying attention or missed this blog, you may not know or remember what Magento is.

Unfortunately, the Magento of which we speak is not a magician, mind reader or confusionist (like the extremely talented Sean Alexander who performed some cunning stunts at our recent StormCloud event).

The Magento of which we speak is an eCommerce solution (payment system, the bit that processes you credit card details when you input them) that is used by thousands of online retailers big and small.

What’s that you say, there is a common platform used by a stack of online retailers that processes credit card details, surely that must be locked down tighter than a duck’s backside (and that’s waterproof)?

Regrettably, the Magento software has always suffered from a swathe of vulnerabilities, which if left unpatched, enables the army of bad boys, and they are legion, to harvest your credit card details and use them to buy trainers and ting.

Up until now, these naughty malwares are deployed is in the headers and footers of infected sites and are therefore relatively easy to spot, however a new variant has been discovered by a Magento developer called Jeroen Boersma. This variant is actual SQL code which runs before Magento and very effectively swipes your credit card details. Not only is it sneaky on the way in, but this piece of nastiness can also heal itself once dumped by the Magento content management system’s security.

The Magento maestro Willem de Groot is very troubled by this development, we would bet that he buys very little online. His blog piece about this new development is here.

The long and short of this is that everyone should be very careful about buying stuff from sites that run Magento, most of these sites are very poorly managed and maintained. If you are of a sensible (some might say paranoid) nature, you can check if a website is running Magento and is vulnerable to a number of nasties using this free tool.

ITC is currently deploying and developing cloud security systems, initially for AWS but with Azure to follow hot on its heels. If you would like to discuss this or anything else security related, please contact us at: [email protected] or 020 7517 3900.

If you were surprised that we didn’t do the cunning stunt joke, so are we.