You would think with Adobe record, people would stop using their platforms... but monkey see other monkeys and monkey copies them...
Big brands among thousands infected by payment-card-stealing CosmicSting crooks
Ray-Ban, National Geographic, Whirlpool, and Segway are among thousands of brands whose web stores were reportedly compromised by criminals exploiting the CosmicSting flaw in hope of stealing shoppers' payment card info as they order stuff online. CosmicSting is the name for a critical vulnerability, CVE-2024-34102, in Adobe's …
COMMENTS
-
Friday 4th October 2024 05:19 GMT An_Old_Dog
Matroshka Dolls
"Are you using Product Foo with packages Bar and Baz to leverage your web platform?"
There are droids who truly speak like that, and many more monkeys who eat that speech up with a shovel.
Modern e-commerce sites are built with a Matroshka doll-like series of packages and dependencies, all which have their own vulnerabilities and (sometimes not-so-timely) sets of patches.
-
Friday 4th October 2024 10:05 GMT plunet
Re: Matroshka Dolls
Ah, but the monolithic off the shelf e-commerce package is probably just as bad as it's either been knitted together using all the usual third party software and you're blind to it, or if they really have written it all themselves from the ground up just just gotta hope their own testing really stands up to muster.
-
Friday 4th October 2024 10:39 GMT DanielsLateToTheParty
Re: Matroshka Dolls
This is Magento 2 which was largely written by a team of Java programmers from eBay (eBay owned Magento Inc at that time). The result is typical Java-ness with objects that only exist to wrap objects that contain a single function called "execute" which is instantiated by a factory class, that is instantiated by a manager class, that is referenced by as many XML files as there are PHP files - some of which are only there to read XML files.
A typical installation has 60,000 source files, over 3 million lines of code, about 500MB BEFORE modifications are made. PHP sites are usually assigned a memory limit of 128MB but for Magento we recommend raising that to 2GB. Our preferred servers come with 200GB RAM because ElasticSearch (another of Magento's requirements) is such a memory hog that I've often seen it go above 100GB. For one website!
Oh and about 40% of our sites got hacked by various cosmicstring groups in the past two months.
-
Monday 7th October 2024 09:01 GMT Softwaerewolf
Re: Matroshka Dolls
If 40% of your sites have been infected in the last 2 months, and a patch has been available for at least as long as that, for several versions of Magento then I think your team should stop running Magento sites and probably retire from the industry entirely.
Given how easy it is to patch, it's an indictment that anyone hasn't patched it, I've seen small teams turn around and patch day one. None of these companies should have been hacked unless it happened as a zero day. Criminal negligence and I hope they get severe fines, but probably not because basically nobody gets held to account for lacking cybersec.
-