Magento Go HOST-attack

The secuirty company Securatary discovered a vulnerability in Magento Go that allowed attackers to login into any other Magento Go account by modifying HTTP-headers in the browser. Magento (or eBay as Magento is now an eBay company) responded quickly and has fixed the issue.

Opening up for numerous scenarios

The hack was easy to replicate: Using a browser extension like the Firefox extension Modify Headers, the POST-request sent from within a source Magento Go account allowed to modify admin privileges in a destination Magento Go account. With this attack, it was possible to gain admin privileges in other Magento Go accounts.

This again opened up for other opportunities, the most disastrous being the ability to add fake orders using coupon codes. The main flaw seemed to have been present in the Magento Go code responsible for checking whether a POST-request sent for a specific domain was actually coming from that domain. Because this check was either not present or not working properly, it was possible to fool Magento Go by modifying HTTP-headers like the Host-header, the Location-header and cookie-domains.

The vulnerability was reported to Magento and fixed quickly afterwards.

Written by Jisse Reitsma op 14 February 2014

Looking for a training in-house?
Let's get to it!