Security researchers have reported a cross-store vulnerability in the Magento commerce platform that lets attackers create administrative users on any store. Securatary says before it was patched, the bug would allow an attacker to access the account details of “any customer” on the 200,000 merchants that Magento claims to host …
What a howler. I imagine they're trying to avoid checking credentials on ever page for performance reasons, given that Magento isn't exactly spritely and snappy. But if you're going the route of not verifying the credentials on every page, it's pretty staggering they didn't consider they'd need some kind of hashing of the account credentials to prevent tampering like this.
What the article does not explicitly state, but the link hints at, is this is only a concern for Magento Go service. The other three editions (CE, EE & PE) are unaffected since each site only hosts one administration.
- +Comment Anti-Facebook Ello: Here's why we're still in beta. SPAMGASM!
- Vid+Pics Microsoft WINDOWS 10: Seven ATE Nine. Or Eight did really
- Analysis Windows 10: One for the suits, right Microsoft? Or so one THOUGHT
- Xbox hackers snared US ARMY APACHE GUNSHIP ware - Feds
- George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests