Hundreds of thousands of customers found themselves at risk of a data breach Friday after potentially malicious computer code affecting the popular e-commerce platform Magento was distributed online.
The attack code was uploaded to the internet days after Magento warned that earlier versions of the Adobe-owned software contained multiple, critical vulnerabilities that risk being exploited unless fixed with software patches released this week.
Ambionics Security, a company that discovered the bugs and subsequently authored and released the code, said that Magento was notified about the bugs through a third-party in November 2018. Ambionics followed up last week and the issues were finally resolved with the release of the patches Tuesday, more than more four months since first disclosed.
Unless patched, vulnerable versions of Magento can be exploited by hackers using the code to remotely execute commands on databases running the software, effectively letting bad actors potentially see and siphon sensitive data, including but not limited to privileged information such as credit card numbers and user credentials.
Magento is “trusted by over 300,000 businesses and merchants” and generated $155 billion in digital commerce during the last calendar year, according to its website. The platform was first released in 2008 and acquired by Adobe a decade later as part of a $1.68 billion acquisition.
“As the majority of exploits tend to target software installations that are not up-to-date with the latest security updates, we always strongly recommend that users install security updates as soon as they are available,” Magento told The Washington Times in a statement.
The release of Friday’s code was first reported by Ars Technica.
Sucuri, a U.S. cybersecurity firm, urged Magento customers to patch their products in a blog post published a day earlier warning about the risks associated with ignoring the update.
“Unauthenticated attacks, like the one seen in this particular SQL Injection vulnerability, are very serious, because they can be automated—making it easy for hackers to mount successful, widespread attacks against vulnerable websites,” said Sucuri. “The number of active installs, the ease of exploitation, and the effects of a successful attack are what makes this vulnerability particularly dangerous.”