The secuirty company Securatary discovered a vulnerability in Magento Go that allowed attackers to login into any other Magento Go account by modifying HTTP-headers in the browser. Magento (or eBay as Magento is now an eBay company) responded quickly and has fixed the issue.

Opening up for numerous scenarios

The hack was easy to replicate: Using a browser extension like the Firefox extension Modify Headers, the POST-request sent from within a source Magento Go account allowed to modify admin privileges in a destination Magento Go account. With this attack, it was possible to gain admin privileges in other Magento Go accounts.

This again opened up for other opportunities, the most disastrous being the ability to add fake orders using coupon codes. The main flaw seemed to have been present in the Magento Go code responsible for checking whether a POST-request sent for a specific domain was actually coming from that domain. Because this check was either not present or not working properly, it was possible to fool Magento Go by modifying HTTP-headers like the Host-header, the Location-header and cookie-domains.

The vulnerability was reported to Magento and fixed quickly afterwards.

Posted on February 14, 2014

About the author

Author Jisse Reitsma

Jisse Reitsma is the founder of Yireo, extension developer, developer trainer and 3x Magento Master. His passion is for technology and open source. And he loves talking as well.

Sponsor Yireo

Looking for a training in-house?

Let's get to it!

We schrijven niet te commerciële dingen, we richten ons op de technologie (waar we dol op zijn) en we komen regelmatig met innovatieve oplossingen. Via onze nieuwsbrief kun je op de hoogte blijven van al deze coolness. Inschrijven kost maar een paar seconden.

Do not miss out on what we say

This will be the most interesting spam you have ever read

We schrijven niet te commerciële dingen, we richten ons op de technologie (waar we dol op zijn) en we komen regelmatig met innovatieve oplossingen. Via onze nieuwsbrief kun je op de hoogte blijven van al deze coolness. Inschrijven kost maar een paar seconden.