eBay’s e-commerce platform Magento contains a critical remote code execution (RCE) flaw. The security hole exposes the details of millions of users who shop from thousands of online stores that use Magento.

Researchers at Check Point Technologies first discovered the flaw in the open-source e-commerce platform Magento. Unpatched versions of the platform are affected by a critical remote code execution (RCE) vulnerability that can be exploited to compromise user’s privacy at online shops that use Magento.

The Magento flaw

“The vulnerability is actually comprised of a chain of several vulnerabilities that ultimately allow an unauthenticated attacker to execute PHP code on the web server. The attacker bypasses all security mechanisms and gains control of the store and its complete database, allowing credit card theft or any other administrative access into the system,” Check Point wrote in a blog post on Monday. “This attack is not limited to any particular plugin or theme. All the vulnerabilities are present in the Magento core, and affects any default installation of both Community and Enterprise Editions.”

Check Point had privately disclosed these vulnerabilities to eBay back in January, upon discovering them and a patch to address the flaws was released shortly on 9 February. (The patch SUPEE-5344 is available here). Website admins and online store-owners have been notified to use the patch, although it is estimated over 200,000 e-commerce sites remain vulnerable presently.

“As online shopping continues to overpower in-store shopping, e-commerce sites are increasingly targeted by hackers as they have become a gold mine for credit card information,” said Shahar Tal, malware and vulnerability research manager at Check Point Software Technologies, in a statement. “The vulnerability we uncovered represents a significant threat not to just one store, but to all of the retail brands that use the Magento platform for their online stores – which represents about 30 percent of the e-commerce market.”

The fallout

In a F.A.Q. published by Byte, a Dutch company that specializes in Magento hosting, it is suggested that Check Point has identified three vulnerabilities: a website authentication bypass that can be exploited via specially crafted HTTP requests (CVE-2015-1398), a SQL injection vulnerability (CVE-2015-1397), and a remote file inclusion flaw (CVE-2015-1399).

While the patch has been made available since February, there are still plenty of websites and online stores that remain vulnerable. This isn’t surprising, as Magento is a hugely popular platform. It is used by over 240,000 merchants around the world and has a market share of 34% in the Alexa list of the top 1 million websites.

Byte have pointed out that the vulnerability is critical and is likely to be exploited by opportunistic hackers in the near future.

“Once an executable exploit is published, it is estimated that every unpatched Magento installation will be compromised within 48 hours. The same happened to Drupal within 7 hours. Lists of global Magento installs are readily available on the web,” Byte said in its advisory.

Thierry Karsenti, Check Point’s European VP of emerging technology, said that the critical vulnerability is “very significant” which could be exploited by black hat hackers using open-source tools to reach millions of people. “If you follow a list of actions you are able to remotely execute any code on that platform with administrator privileges,” he said.

By all accounts, the RCE flaw presents a clear and critical threat.