back to article Big brands among thousands infected by payment-card-stealing CosmicSting crooks

Ray-Ban, National Geographic, Whirlpool, and Segway are among thousands of brands whose web stores were reportedly compromised by criminals exploiting the CosmicSting flaw in hope of stealing shoppers' payment card info as they order stuff online. CosmicSting is the name for a critical vulnerability, CVE-2024-34102, in Adobe's …

  1. CowHorseFrog Silver badge

    You would think with Adobe record, people would stop using their platforms... but monkey see other monkeys and monkey copies them...

  2. An_Old_Dog Silver badge

    Matroshka Dolls

    "Are you using Product Foo with packages Bar and Baz to leverage your web platform?"

    There are droids who truly speak like that, and many more monkeys who eat that speech up with a shovel.

    Modern e-commerce sites are built with a Matroshka doll-like series of packages and dependencies, all which have their own vulnerabilities and (sometimes not-so-timely) sets of patches.

    1. plunet

      Re: Matroshka Dolls

      Ah, but the monolithic off the shelf e-commerce package is probably just as bad as it's either been knitted together using all the usual third party software and you're blind to it, or if they really have written it all themselves from the ground up just just gotta hope their own testing really stands up to muster.

    2. DanielsLateToTheParty
      FAIL

      Re: Matroshka Dolls

      This is Magento 2 which was largely written by a team of Java programmers from eBay (eBay owned Magento Inc at that time). The result is typical Java-ness with objects that only exist to wrap objects that contain a single function called "execute" which is instantiated by a factory class, that is instantiated by a manager class, that is referenced by as many XML files as there are PHP files - some of which are only there to read XML files.

      A typical installation has 60,000 source files, over 3 million lines of code, about 500MB BEFORE modifications are made. PHP sites are usually assigned a memory limit of 128MB but for Magento we recommend raising that to 2GB. Our preferred servers come with 200GB RAM because ElasticSearch (another of Magento's requirements) is such a memory hog that I've often seen it go above 100GB. For one website!

      Oh and about 40% of our sites got hacked by various cosmicstring groups in the past two months.

      1. CowHorseFrog Silver badge

        Re: Matroshka Dolls

        Java doesnt have function its has methods not functions. Secondly why would java programmers "write" Magento in PHP if they are java programmers ?

        Other than that your story makes perfect sense.

      2. Softwaerewolf

        Re: Matroshka Dolls

        If 40% of your sites have been infected in the last 2 months, and a patch has been available for at least as long as that, for several versions of Magento then I think your team should stop running Magento sites and probably retire from the industry entirely.

        Given how easy it is to patch, it's an indictment that anyone hasn't patched it, I've seen small teams turn around and patch day one. None of these companies should have been hacked unless it happened as a zero day. Criminal negligence and I hope they get severe fines, but probably not because basically nobody gets held to account for lacking cybersec.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like