EXTREME COUPONING zeros checkout carts in eBay's Magento Hacker Netanel Rubin has found a critical remote vulnerability in Ebay's web commerce platform Magento that affects 88,000 shops and allows buyers to purchase anything for free, and compromise credit cards and personal data. The CheckPoint vulnerability hunter says many tat bazaar stores are still exposed to the bug that …
Firstly, to get anything delivered I would think you need an address at the very least. Second, it would surely be very easy to implement a check for all 0 value transactions made with a coupon, or even any transaction with a coupon discount greater than x%.
I am not suggesting it should not be fixed in a hurry, but to get away with the goods seems more than trifling difficult.
it has been fixed since february provided all sites have updated to versions since then, only sites running older versions are vulnerable. The problem is that there are a lot of sites running the older version, direct quote from a friend that has used it "it's an updating nightmare and the admin side is horrific"
All sites running versions up to CE 1.9.1.0 are vulnerable... Until patched.
Your highly paid for Enterprise version also is a wide open swinging barn door.
And Magento suffers regression errors, when you upgrade, the core patched files are overwritten which causes your website to be open to the wide world all over again until re-patched with ALL the patches that apply to your current version.
The patch is a shell script patch that needs to be manually run with crossed fingers in the hopes it doesn't blow chunks.
After patching, you still aren't in the clear... Your fully patched website is still vulnerable.
If you're running the kludge compiler, recompile. Then clear your Magento cache, best if done by manually deleting the cache subfolders just to be sure. Then, if you're running an opcode cache, better clear that as well.
Delivery hasn't been an issue with many fraudulent transactions... either on E-Bay or using a stolen card. The perps use a drop type address.. empty house, a willing "friend", etc. I remember hearing one tail were stuff was being sent to an open field that some conveniently put a mail box near the sidewalk and would meet the UPS driver for the delivery.
One should never underestimate miscreants. They can be truly inventive.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
