Web Security: An Example of How Not To Do It

Quite a few news sites are reporting this story at the moment, about hackers hitting online stores using the Magento E-commerce system: http://www.bbc.co.uk/news/technology-37643754. The reports seem to originate from this site https://www.magereport.com which has been set up to help owners of Magento sites scan for vulnerabilities in their store for free.

A nice idea you might think, and it is. The problem is that those behind the site don’t really seem to have given much thought about verifying who is doing the scan. Anyone can use it. It is easy to find sites that use Magento online, for example Googling ‘inurl:/checkout/cart/’ will bring up a nice crop. Then run the scan, it will bring up a nice handy guide to what vulnerabilities the site suffers from.

The makers excuse themselves by saying:

The MageReport tool only tells you what is wrong, not how to exploit it

However this is really not good enough in my view, once you know what the weaknesses are, it is the work of a minute or two to find the exploit online, my dog could do it.

The only way to protect against this is apparent to block the “magereport” user agent in the site robots.txt file, I would suggest that owners of Magento sites do this, but if site owners do not know that they have vulnerable software on their site, are they really going to know that they should do that?

Leave a Comment on this post