News Security

Ebay Patches Up Critical Security Vulnerability In Magento Platform

DressCode / linux
Share on Facebook
Tweet about this on TwitterShare on Google+Share on StumbleUponShare on LinkedInPin on PinterestShare on Reddit

E-commerce system Magento, is what lies at the centre of retail giant eBay (and may other e-retailers across the globe) and makes the clock go round by supporting online purchases and transactions that take place on the website. That’s probably why, when Vulnerability Lab‘s security researcher Hadji Samir found three security flaws within Magento open-source e-commerce platform  in March, no time was lost in rushing experts on to the issues thanks to which, the vulnerabilities have now been permanently fixed.

The first of these was a Cross Site Request Forgery — or a CSRF– lodged within the official Magento Commerce Premium Theme front-end web application. This could and may have allowed remote hackers to inject scripts into the application-side of the service module. The vulnerability allows to execute unauthorized client-side application functions without secure validation or session token protection mechanism.


The second flaw was associated with the validation of the input being fed to the site. In order to be able to use this, the hacker needed to have a low privilege user account on the application side. However, this has been patched now as well.

The third vulnerability was again of the CSRF kind. However, this one existed within the Magento application’s messages module and again required the hackers to posses a low privilege user account. Once these conditions were met however, you could delete the internal Magento messages of other users without consent and launch man-in-the-middle (MITM) attacks which can then be used to intercept user sessions.

Although these weak points were discovered and submitted to the eBay security team through the company’s Bug Bounty program back in March, we only got to hear about them now — for obvious reasons of course — once all the holes have been firmly plugged by a patch issued by eBay in May.

A bibliophile and a business enthusiast.

[email protected]

Add Comment

Click here to post a comment

Your email address will not be published. Required fields are marked *


Be a part of a thriving community of core-tech, no-nonsense readership in India. Subscribe to our post-by-post updates, right here.