Insecure module opened the door for attackers to hijack payments

Security researchers have developed a proof-of-concept attack that exploits a recently patched vulnerability involving a plugin for Magento, the widely used e-commerce platform.

Lack of origin authentication in the CardGate Payments plugin made it possible for an attacker to change plugin settings, such as the merchant ID or secret key, in order to hijack the payment process.

The CVE-2020-8818 vulnerability made it possible for a cybercriminal to “spoof an order status by manually sending an IPN [Instant Payment Notification] callback request with a valid signature but without real payment”.

A successful attack would also allow fraudsters to change settings in order to route payments meant for a merchant towards an account under their control.

Fortunately, the PHP-based vulnerability was fixed a week ago, on February 19.

CardGate Payments plugin up to 2.0.30 for Magento 2 need to be patched. CardGate Payment Gateway Module 2.0.30 also needs to be updated for the same reason.

LISTEN NOW SwigCast, Episode 4: MAGECART

CardGate is a payment service provider based in the Netherlands.

The vulnerability is said to stem from coding mistakes in the IPN callback processing function in Controller/Payment/Callback.php.

Remediation and patching work have been given extra urgency by the release of proof-of-concept exploit code on Saturday (February 22).

The Daily Swig has invited both Magento, which is owned by Adobe, and CardGate to comment. We’ll update this story as and when more information comes to hand.

RELATED Magento fixes trio of critical security flaws