Post on 14-Apr-2017
What could possibly go wrong?Security in Magento Shops
• integer_net (Aken / Germany)• Consultant / Developer / Trainer / CEO• Specialist for Magento and Solr• @avstudnitz
PHOTO
Andreas von Studnitz
PHOTO
Real Life Example• One line of code added
• Reads all requests in admin and checkout areas
• Encodes and stores data in media/cache_6e0a32[…]d53ee065da
PHOTO
Real Life Example• Active for 6 months!• 5,628 datasets
(email address, name, telephone)• 1,612 passwords• All admin usernames and passwords
Overview
Consequences of Attacks
Types of Attack
Prevention
PHOTO
What can possibly go wrong?Consequences of Attacks
PHOTO
www.ibm.com/security/data-breach/
PHOTO
Stolen User Data
Consequences
PHOTO
Stolen Login Data
Consequences
PHOTO
Stolen Payment Data
Consequences
PHOTO
This guy lost more than 50,000 $ in a data breach
PHOTO
Server Attacks
Consequences
PHOTO
PHOTO
PHOTO
How can this happen with Magento?Vulnerabilities
PHOTO
Magento Unpatched• Neither installed the latest version
• Nor applied important security patches
• (Insecure PHP version)
Vulnerability
PHOTO
Example: Shoplift Bug
(patched February 2015)
Vulnerability
PHOTO
50,581
Vulnerability
Source: byte.nl, April 2016
Magento shops vulnerable to Shoplift:
(out of 255.558)
PHOTO
Weakly secured Admin Area• http://magento.site/admin/
• http://magento.site/downloader/
• Username “admin”
• Low security passwords
Vulnerability
PHOTO
What can an Attacker do with Admin Access? (1)1. Log in2. Upload a custom extension in the Magento
Connect Manager (downloader)
Vulnerability
PHOTO
What can an Attacker do with Admin Access? (2)1. Log in
2. Inject custom JavaScript in System => Configuration
Vulnerability
PHOTO
Vulnerability
PHOTO
Security issues in extensions• Custom or purchased extensions• SQL Injection, XSS, …• Backdoors• Installation service
Vulnerability
PHOTO
How can I prevent Attacks?
PHOTO
1. Follow basic Guidelines• Update Magento and PHP
• Secure the admin area
• Subscribe to the security mailing list
Prevention
PHOTO
Prevention2. Check your Site
PHOTO
3. Do security reviewsPrevention
Severe security issues found in more than 50% of my reviews
PHOTO
Q & A
Please contact me!
@avstudnitz avs@integer-net.com@integer_net www.integer-net.com