Security researchers have reported a cross-store vulnerability in the Magento commerce platform that lets attackers create administrative users on any store. Securatary says before it was patched, the bug would allow an attacker to access the account details of “any customer” on the 200,000 merchants that Magento claims to host …
What a howler. I imagine they're trying to avoid checking credentials on ever page for performance reasons, given that Magento isn't exactly spritely and snappy. But if you're going the route of not verifying the credentials on every page, it's pretty staggering they didn't consider they'd need some kind of hashing of the account credentials to prevent tampering like this.
What the article does not explicitly state, but the link hints at, is this is only a concern for Magento Go service. The other three editions (CE, EE & PE) are unaffected since each site only hosts one administration.
- Review This is why we CAN have nice things: Samsung Galaxy Alpha
- Ex-Soviet engines fingered after Antares ROCKET launch BLAST
- Hate the BlackBerry Z10 and Passport? How about this dusty old flashback instead?
- NASA: Spacecraft crash site FOUND ON MOON RIM
- Apple spent just ONE DOLLAR beefing up the latest iPad Air 2