HKCert
HKCERT logo Hong Kong Computer Emergency Response Team Coordination Centre

HKCERT logo Hong Kong Computer Emergency Response Team Coordination Centre

Security Guideline

Magento eCommerce Web Application Security Guide

Release Date: 12 / 01 / 2017
Last Update: 12 / 01 / 2017

 

Image source: magento.com

 

0. Foreword

Magento (magento.com) is a web based eCommerce application, widely used by online merchants to provide online transaction on shopping or eCommerce website.

 

HKCERT was aware that a Dutch security researcher Willem de Groot (gwillem.gitlab.io) has released a research report in October 2016 about websites installed with Magento which are vulnerable to ‘online skimming’, i.e. criminals intercepting credit card data by infecting unpatched Magento application on the website. Some of those websites are hosted in or affiliated with Hong Kong. Henceforth this guide is released for online merchants to recover and protect their Magento application.

 

1. Threats to websites with impacted Magento application

According to the research report, websites with outdated or unpatched Magento application were vulnerable to the following threats:

  • JavaScript ‘wiretap’ on website source code, which could allow criminals to intercept credit card and other payment data (Oct 2016)
  • Visbot malware, which can allow criminals to intercept credit card and other payment data, and even control your website (Dec 2016)

 

2. Business impacts arising from breached Magento application

From the research report, criminals mainly target payment and card data from the breached Magento application. Therefore a breach may result in financial loss to the merchants and the clients, and the merchants may be claimed on financial loss or sensitive data leakage by the clients.

 

3. Recovery of breached Magento application

 

4. Prevention of Magento application breach

  • Ensure that you have applied the latest security updates (patches) to your Magento application (magento.com/security).
  • Ensure that other parts of your website (e.g. server OS, web server etc.) also receive the latest patches.
  • Perform regular vulnerability scanning on your website with the tools mentioned above.
  • Perform security assessment according to industry or de facto standards such as OWASP top 10 or PCI DSS (applicable to payment card industry).

 

5. Other potential follow-up on breach

  • If you suspected that there is any data breach, you should consider notifying the Office of the Privacy Commissioner for Personal Data (PCPD) according to their procedure.
  • If you suspected that there is any financial loss, you may consider to file a crime report in nearby police station.