Attack code was published on Friday that exploits a critical vulnerability in Magento e-commerce platform, all bug guaranteeing it will be used to plant payment card skimmers on sites that have yet to install a recently released patch.
PRODSECBUG-2198 is a SQL injection vulnerability that attackers can exploit with no authentication required. Hackers could exploit the flaw to take administrative control of administrator accounts, assuming the hackers can download user names and password hashes and crack the hashes. From there, attackers could install the backdoors or skimming code of their choice. A researcher at Web security firm Sucuri said Thursday that company researchers reverse-engineered an official patch released Tuesday and successfully created a working proof of concept exploit.
