In October of 2016, Magento released the SUPEE-8788 patch, which among other fixes, was intended to protect Magento stores from PHP Object Injection vulnerabilities that allowed Zero-Day exploits through abuses to PHP’s unserialize(). However, even with the patch, these exploits have continued to plague Magento users.
First and foremost, it’s not because of any known deficiencies with the SUPEE-8788 patch. Rather, it seems that this same exploit is present in a sizable number of Magento Extensions. Some extension developers responded with patches to solve this issue, while others have not even acknowledged the vulnerability in their code.
When triggered, this vulnerability can be used to skim credit card data by creating fake checkout forms and syphon active user data.
According to Willem De Groot, a security expert helping to identify these issues, this vulnerability may exist in extensions from many popular extension developers. For a list of known extensions believed to make Magento sites susceptible to this type of attack, please visit: https://gwillem.gitlab.io/2018/10/23/magecart-extension-0days/
So, what should you do if you’re using extensions on this list? Well, that’s of course up to you, but to triage this issue, it would make sense to:
1. See if the extension developers have patched your extension(s) yet. If so, apply the patch(es). It’s always best to keep your Magento software and your extensions up to date on security patches. As always remember to patch on a dev/staging platform and test all patches thoroughly.
2. If you’re up to the task, and the code is open to you, solve the exploit yourself rather than wait on the extension developers to provide a solution.
3. Completely remove the extensions. In some cases, you may not even be using these extensions anymore, or they simply may not be bringing you enough value to be worth maintaining.
What else can you do to protect yourself from hackers?
At the end of the day, extensions, modules, plugins, apps, and other add-on software and custom coding can all create vulnerabilities in your website. Just because they’re inexpensive or free to acquire, don’t forget that your total cost of ownership for these extensions comes with long-term maintenance and security implications. Sometimes it’s best to simply not use an extension if it can be avoided.
When you are adding software or code to your website, try to source this work from experts that are likely to not only follow best-practices the first time, but that are likely to make updates available to you when needed. Extension authors like Amasty are known for being proactive in this way.
Also, remember that it’s not only your Magento software that can be a point of intrusion. Your hosting environment needs to be up to date and secure, and closely monitored for potential intrusion. If you’re not sure if the Operating System, server software like PHP, and settings, Firewall settings, and other hosting software components and settings are keeping you safe and secure, consider a free consultation from the JetRails team.
Lastly, consider additional layers of security from 3rd party providers such as the extra protections of Content Delivery Networks (CDNs) like CloudFlare and Akami, and security monitoring tools like Sucuri. If you need help identifying the best security stack for your hosting, you’ll definitely want to reach out to the JetRails team for advice.