Feeds

back to article Magento bug left user credentials vulnerable: researcher

Security researchers have reported a cross-store vulnerability in the Magento commerce platform that lets attackers create administrative users on any store. Securatary says before it was patched, the bug would allow an attacker to access the account details of “any customer” on the 200,000 merchants that Magento claims to host …

COMMENTS

This topic is closed for new posts.
Bronze badge

wow

What a howler. I imagine they're trying to avoid checking credentials on ever page for performance reasons, given that Magento isn't exactly spritely and snappy. But if you're going the route of not verifying the credentials on every page, it's pretty staggering they didn't consider they'd need some kind of hashing of the account credentials to prevent tampering like this.

0
0
Anonymous Coward

What the article does not explicitly state, but the link hints at, is this is only a concern for Magento Go service. The other three editions (CE, EE & PE) are unaffected since each site only hosts one administration.

0
0
This topic is closed for new posts.