security and privacy issues

E-commerce has been a savior for many organizations — particularly SMBs — because it can allow them to pick a cloud solution and focus on their core competencies.

However, it doesn’t mean that everything is taken care of. Tools and plug-ins can be a source of security weaknesses, as users of WordPress have found out. The latest case in point: This week a vulnerability was revealed in an open source utility called Magmi for eBay’s Magneto e-commerce platform.

Trustwave reported seeing HTTP requests associated with an exploit attempt on the SourceForge version of Magmi, the Magneto Mass Importer database client, used to bring data into the Magneto database.

Magmi can also be downloaded from GitHub, but it’s the SourceForge version that has the problem. You’ll find out why in a moment.

Attackers were apparently testing sites to see if admins hadn’t changed the client’s default security configuration. They were doing it by trying  to access the Linux password file through the HTTP request, which would expose the path to the file.

“Successful exploitation results in access to Magento site credentials and the encryption key for the database,” the security vendor said in a blog.

Magneto has some 240,000 subscribers. It isn’t clear how many use the SourceForge version of Magmi, but Trustwave notes there were 2,800 downloads in September, and 500 the first week of this month.

Why was the SourceForge copy of Magmi the problem? Because it hadn’t been updated in months although the two repositories were supposed be synchronized. The GitHub copy was newer  and didn’t include a crucial file that would give the password file away.

“What’s disturbing is the inconsistency between the two repositories and the popularity of the out-dated, SourceForge repository,” commented Trustwave.

Magento acknowledged the issue and issued a security notification to their partners and users. It also contacted the owners of 1,700 Magneto sites believed to be vulnerable.

There are three lessons here: First, not only do providers that host downloadable software have to make sure they’ve always got the latest versions, so do CISOs. Second, tools and plug-ins are risks. And third, policies have to be in place to ensure default passwords in every system are changed.