What could possibly go wrong?
Security in Magento Shops
• integer_net (Aken / Germany)
• Consultant / Developer / Trainer / CEO
• Specialist for Magento and Solr
• @avstudnitz
PHOTO
Andreas von Studnitz
PHOTO
Real Life Example
• One line of code added
• Reads all requests in admin and
checkout areas
• Encodes and stores data in media/cache_6e0a32[…]d53ee065da
PHOTO
Real Life Example
• Active for 6 months!
• 5,628 datasets
(email address, name, telephone)
• 1,612 passwords
• All admin usernames and passwords
Overview
Consequences of Attacks
Types of Attack
Prevention
PHOTO
What can possibly
go wrong? Consequences of Attacks
PHOTO
www.ibm.com/security/data-breach/
PHOTO
Stolen User Data
PHOTO
Stolen Login Data
PHOTO
Stolen Payment Data
PHOTO
This guy lost more than 50,000 $
in a data breach
PHOTO
Server Attacks
PHOTO
PHOTO
PHOTO
How can this happen
with Magento? Vulnerabilities
PHOTO
Magento Unpatched
• Neither installed the latest version
• Nor applied important security patches
• (Insecure PHP version)
PHOTO
Example: Shoplift Bug
(patched February 2015)
PHOTO
50,581 Source: byte.nl, April 2016
Magento shops vulnerable to Shoplift:
(out of 255.558)
PHOTO
Weakly secured Admin Area
• http://magento.site/admin/
• http://magento.site/downloader/
• Username “admin”
• Low security passwords
PHOTO
What can an Attacker do
with Admin Access? (1) 1. Log in
2. Upload a custom extension in the Magento
Connect Manager (downloader)
PHOTO
What can an Attacker do
with Admin Access? (2) 1. Log in
2. Inject custom JavaScript in System
=> Configuration
PHOTO
PHOTO
Security issues in extensions
• Custom or purchased extensions
• SQL Injection, XSS, …
• Backdoors
• Installation service
PHOTO
How can I
prevent Attacks?
PHOTO
1. Follow basic Guidelines
• Update Magento and PHP
• Secure the admin area
• Subscribe to the security mailing list
PHOTO
2. Check your Site
PHOTO
3. Do security reviews
Severe security issues found in more than 50% of my reviews
