Security researchers have reported a cross-store vulnerability in the Magento commerce platform that lets attackers create administrative users on any store. Securatary says before it was patched, the bug would allow an attacker to access the account details of “any customer” on the 200,000 merchants that Magento claims to host …
What a howler. I imagine they're trying to avoid checking credentials on ever page for performance reasons, given that Magento isn't exactly spritely and snappy. But if you're going the route of not verifying the credentials on every page, it's pretty staggering they didn't consider they'd need some kind of hashing of the account credentials to prevent tampering like this.
What the article does not explicitly state, but the link hints at, is this is only a concern for Magento Go service. The other three editions (CE, EE & PE) are unaffected since each site only hosts one administration.
- YARR! Pirates walk the plank: DMCA magnets sink in Google results
- Pics Whisper tracks its users. So we tracked down its LA office. This is what happened next
- Review Xperia Z3: Crikey, Sony – ANOTHER flagship phondleslab?
- Ex-US Navy fighter pilot MIT prof: Drones beat humans - I should know
- Human spacecraft dodge COMET CHUNKS pelting off Mars