Sansec logo

Backdoor found in Webgility

Sansec

by Sansec Forensics Team

Published in Threat Research − October 30, 2018

Backdoor found in Webgility

Update Nov 23rd: Webgility has released a patch and a public statement, urging all customers to upgrade to version 345.

Update Nov 30th: Webgility has discovered another security issue and urges all customers to upgrade to version 346.


When an accounting software firm proclaims to do epic shit, you know they are up to no good. The VC-funded Webgility software contains a backdoor for the purpose of remote upgrades. As a side effect, this allows anyone to upload PHP code and do all kinds of naughty stuff. Curiously, the Webgility engineering team denies the existence of the backdoor, even when confronted with a functional proof of concept and a demonstration video.

Because of the severity, I recommend Webgility customers to restrict access to trusted IPs or temporarily remove the software until there is a fix.

The backdoor was discovered by Eric Seastrand as part of a PCI code audit. He reported the security flaw on Oct 16th to Webgility, together with an extensive explanation, sample code and a demo video. Then, he got this odd response:

Our engineers further reviewed your E-mail and we would like to inform you that, this file can't execute automatically or through a Web Browser [...] we request you kindly do not test or trial anything in Webgility module folder

Eric answered patiently and explained once again how the unauthorized update mechanism poses a serious security threat. Webgility thanked him for the suggestion and closed the ticket without further ado.

I also gave it a couple of tries to explain the situation, but they would have none of it.

Just to be sure: I have validated Eric's proof of concept exploit code on my live store. Because of the intense efforts that criminals are undertaking to find vulnerabilities in 3rd party ecommerce software, it won't be long before this flaw will be massively exploited to turn the thousands of Webgility customers into card skimming zombie stores.

Hopefully this post will get Webgility to release a fixed version. If not, better to stay far from its software.

Thanks to Eric and the fine people at Hypernode, you can now use Magereport to check whether your store runs a vulnerable Webgility.

Read more

Scan your store now
for malware & vulnerabilities

$ curl ecomscan.com | sh

eComscan is the most thorough security scanner for Magento, Adobe Commerce, Shopware, WooCommerce and many more.

Stay up to date with the latest eCommerce attacks

Sansec logo

experts in eCommerce security

Terms & Conditions
|
Privacy & Cookie Policy
Company Reg 77165187
|
Tax NL860920306B01