How secure are your 3rd party Magento extensions?

Third party extensions are increasingly targeted in attempts to hack your store where many attacks have shifted focus to 3rd party components.

Magento continues to be a target for payment skimmers. In 2015 attackers used the “Shoplift” vulnerability in the core Magento code base. An upgrade in security and attackers moved to brute force attacks on weak admin passwords in 2016-2017. In 2018 a move to insecure third party extensions occurred where an estimated 50 stores per day were hacked this way.

How extension attacks are spreading

“The method is straightforward: attacker uses an extension bug to hack into a Magento store. Once in, they download all of the other installed extensions. The attacker then searches the downloaded code for 0day security issues, such as POI, SQLi and XSS flaws. Once found, the attacker launches a global scan to find vulnerable victims. Rinse and repeat.”
willem’s lab

What escalates the issue are third party vendors unwilling to admit vulnerabilities in an attempt to sate any loss of reputation, or, when they do admit to it, they bury the information as a foot note. The result, is, despite merchant’s implementing best practice including up-to-date patches, WAF’s etc, sites still remain vulnerable. Updated extensions may negate these vulnerabilities, but for many extensions this would mean another investment for the same service and issues of stability in implementing new extensions.

The Magento Community strikes again.

Magento 1

In response to this a group of Magento professionals have released a central repository of insecure Magento modules.  At time of writing it lists some 63 insecure extensions which will be added to as more are found and/or created. It is as simple as running it against your store, finding the vulnerable extensions and upgrading them as needed.

Magento 2

Alternatively for Magento 2 there is the Roave Security Advisories. This does not provide a list to check what you already have on your site, rather it prevents installation of software with known security issues. Important note form github entry

“The checks are only executed when adding a new dependency via composer require or when running composer update deploying an application with a valid composer.lock and via composer install won’t trigger any security versions checking.“