greasemonkey Posted April 21, 2015 Share Posted April 21, 2015 Not very familiar with Magneto - but has anyone seen this? http://thehackernews.com/2015/04/Magento-security.html?m=1 Link to comment Share on other sites More sharing options...
♥Tsimi Posted April 22, 2015 Share Posted April 22, 2015 As I said in an other topic recently. A system/software is only as good as the person that maintains it. The fix/patch is available but if the people don't apply those patches then it is their own fault and not Magentos. How many people are still out there using osC 2.2 or 2.3.1 and other older versions that have more security holes then a swiss cheese? Hell, some still name their admin area "admin"! One other thing I found a bit disturbing is this ...and gain access to credit card details and other financial... I always thought it is not good to keep credit card records especially if you don't fulfill certain rules right? Link to comment Share on other sites More sharing options...
greasemonkey Posted April 22, 2015 Author Share Posted April 22, 2015 Well said. I guess what I find most amazing is (they suggest in the article) only 50% have been patched. And I too would seriously question why anyone would want to hold a CC number in their database. Talk about asking for it.... Link to comment Share on other sites More sharing options...
♥Tsimi Posted April 22, 2015 Share Posted April 22, 2015 I am not familiar with Magento but if they have kinda Dashboard in the admin area as osC has then they could release an emergency newsflash so that people can see that there is a patch available. But if people still won't apply it even after all the efforts and announcements then....well.... Imagine some or probably most people hired someone to create their shop those people wouldn't know where to start in the first place. And Magento seems to have a difficult code base. So they all would need to hire again someone to fix their system. I wonder how many shops are in those 50%...100'000? 1'000'000? 10'000'000? ...more? Link to comment Share on other sites More sharing options...
clustersolutions Posted April 22, 2015 Share Posted April 22, 2015 A system holding CC info takes a lot more work to get PCI/DSS compliance, then again, that's sort of like an honest system. I see a lot of reasons to hold a CC number, but only for temporary. Customers change their minds to add more items...exchange shipping...and etc...one thing is holding CC info...another would be storing CC info in plain text...AES_ENCRYPT...SHA2 should slow'em down...highly recommend'em...I guess it's all about minimizing risks... Well said.I guess what I find most amazing is (they suggest in the article) only 50% have been patched.And I too would seriously question why anyone would want to hold a CC number in their database. Talk about asking for it.... Link to comment Share on other sites More sharing options...
ozEworks Posted April 22, 2015 Share Posted April 22, 2015 For Magento, it was an easy patch. Same issues arose with lots of WordPress plugins including WP eCommerce. Neither store CC in the database Patches were available last week before the public announcement. Risk is quite low in regard to an actual hack I think. I guess the poster was kind of asking if osCommerce is effected? Link to comment Share on other sites More sharing options...
BrockleyJohn Posted April 24, 2015 Share Posted April 24, 2015 A system holding CC info takes a lot more work to get PCI/DSS compliance, then again, that's sort of like an honest system. I see a lot of reasons to hold a CC number, but only for temporary. Customers change their minds to add more items...exchange shipping...and etc...one thing is holding CC info...another would be storing CC info in plain text...AES_ENCRYPT...SHA2 should slow'em down...highly recommend'em...I guess it's all about minimizing risks... Actually the hack published was intercepting CC information between the customer inputting it on the form and its being encrypted and sent to the payment gateway - without ever being stored anywhere. The only way to rule that out altogether is a sagepay-form-type integration where you pass them to the payment gateway before they enter the card details. There were/are addons that check that the code files in your store haven't changed and that's really the only way to be sure you've not been hacked with an injection; we are running open-source so any remaining holes are public. That said, I think that holes now are more likely to be in addons and custom code, which is harder for the malicious to exploit on any scale than vulnerabilities in the core. I suspect, though, that it's not so hard to design a bot that can hammer all the input fields and url parameters on your site with injection strings to see if they can get in. Contact me for work on updating existing stores - whether to Phoenix or the new osC when it's released. Looking for a payment or shipping module? Maybe I've already done it. Working on generalising bespoke solutions for Quickbooks integration, Easify integration and pay4later (DEKO) integration at 2.3.x Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.