Coming up: 23 Sep - Magento 2 Technical Architecture training

Yireo - Trainings & extensions

Open main menu

The secuirty company Securatary discovered a vulnerability in Magento Go that allowed attackers to login into any other Magento Go account by modifying HTTP-headers in the browser. Magento (or eBay as Magento is now an eBay company) responded quickly and has fixed the issue.

Opening up for numerous scenarios

The hack was easy to replicate: Using a browser extension like the Firefox extension Modify Headers, the POST-request sent from within a source Magento Go account allowed to modify admin privileges in a destination Magento Go account. With this attack, it was possible to gain admin privileges in other Magento Go accounts.

This again opened up for other opportunities, the most disastrous being the ability to add fake orders using coupon codes. The main flaw seemed to have been present in the Magento Go code responsible for checking whether a POST-request sent for a specific domain was actually coming from that domain. Because this check was either not present or not working properly, it was possible to fool Magento Go by modifying HTTP-headers like the Host-header, the Location-header and cookie-domains.

The vulnerability was reported to Magento and fixed quickly afterwards.

Written on 14 February 2014 by Jisse Reitsma

About the author

Jisse Reitsma is the founder of Yireo, extension developer, developer trainer and two times Magento Master. His passion is for technology and open source. And he loves talking as well.

Looking for a training in-house?

Let's get to it!

Proud member of

  Latest blog


Legal information

Other Yireo sites

Get Social

About Yireo