Magento Security - complete overview

Magento is a widely used open source eCommerce platform. It is versatile but requires specific security measures. This article outlines critical aspects of Magento and Adobe Commerce security, providing technical recommendations and examples to enhance your store's protection.

Understanding the Risks

Magento websites are frequently targeted due to their complexity and the sensitive data they handle. Familiarity with common vulnerabilities is essential for effective defense.

Common Magento Attacks in 2024

Sansec investigates dozens of eCommcerce breaches each week. Here are the most common attacks hitting Magento stores this year.

1. Stolen Crypt Keys via CosmicSting Attack: Merchants who didn't apply Adobe's June 11th, 2024 release within 2 weeks, likely had their secret crypt keys stolen. So far we have observed 4200 stores getting hacked and we are still counting new victims.

   Example: An attacker uses a CosmicSting attack to extract the crypt key. They can then generate an admin API token. This token enables them to download private customer data and inject skimming code into CMS blocks.

2. Code Execution via TrojanOrder Attack: This vulnerability allows attackers to execute arbitrary code on the server by abusing template parsing features. While the bug was fixed in 2022, many merchants did not upgrade and we are still seeing new successful attacks almost 2 years later.

   Example: An attacker places a specially crafted order. When a confirmation is emailed to the customer, the malicicous code is executed and installs a backdoor on the Magento server.

3. Guessed or Leaked Staff Passwords: Weak or compromised passwords can be exploited by attackers to gain unauthorized access to the system.

   Example: An attacker uses a leaked password from a data breach to log into the Magento admin panel, accessing sensitive data and functionalities.

4. Outdated System Configuration (glibc): Outdated Linux system libraries, such as glibc, enable attackers to run arbitrary code on your servers.

   Example: A typing CosmicSting attack only enables the attacker to read and modify database data. However, when the host system hasn't been updated in a while, the attacker can abuse this to also run code directly on the server. They use this to inject several backdoors.

Real-World Examples

Sansec observed a recent surge in Magento and Adobe Commerce hacks. Here are some high profile Magento stores that got hacked recently:

• Swatch
• Ray Ban
• Cisco
• Carlsberg
• Segway
• Whirlpool
• LCBO

Best Practices for Magento Security

1. Regular Updates

Ensure your Magento installation is always updated. Each release contains security patches for known vulnerabilities.

Example: Regularly check for updates in the Magento admin panel or subscribe to the Magento security mailing list to receive notifications.

2. Strong Password Policies

Enforce strong password policies for all user accounts. Passwords should include a mix of uppercase letters, lowercase letters, numbers, and symbols.

It is also essential to enable Magento Multi Factor Authentication for all staff.

3. Use Secure Hosting

Select a hosting provider that prioritizes security. Important features include:

• Web Application Firewalls (WAF)
• SSL Certificates
• DDoS Protection

Example: Hosting services like AWS or DigitalOcean offer advanced security configurations tailored for Magento installations.

4. Limit User Access

Implement role-based access control (RBAC) to restrict permissions to sensitive areas of your site.

Example: Assign permissions based on user roles, ensuring that only authorized personnel have access to critical functionalities.

5. Implement HTTPS

Use HTTPS to encrypt data between your server and clients. Acquire and configure an SSL certificate for your domain.

Example: Obtain a certificate from Let’s Encrypt and set up automatic renewals to maintain security.

6. Regular Backups

Automate backups of your Magento store to ensure quick recovery in case of data loss.

Example: Use tools like Akeeba Backup or native Magento backup functions, and store backups in multiple locations, such as cloud storage.

7. Security Extensions

Integrate security extensions that enhance site protection.

Example: Utilize extensions like MageFence for malware scanning and intrusion detection.

8. Implement Content Security Policy (CSP)

CSP helps mitigate XSS attacks by controlling which content can be loaded on your site.

Example: Configure your CSP header to specify trusted sources for scripts and styles.

9. Monitor Logs and User Activity

Regularly analyze server and application logs to identify anomalies.

Example: Use centralized logging tools like ELK Stack to detect unusual login attempts or unauthorized changes.

10. Educate Your Team

Conduct regular training sessions on security best practices and phishing awareness for all staff.

Example: Implement phishing simulations to assess and improve employee response to suspicious emails.

Conclusion

Magento security is critical for the integrity of your eCommerce operations. By adhering to these technical best practices and maintaining vigilance against emerging threats, you can effectively protect your online store.

Call to Action

Regularly audit your security measures and consult with security experts to ensure your Magento site remains resilient against threats. Investing in robust security today is essential for safeguarding your business's future.