eCommerce consultants are not exaggerating if they warned their audience to break put and not move their Magento food to Magento 2 because the closing isn’t able yet.
Security issues abide to basset Magento 2. You’re advantageous if you heeded experts’ admonition and haven’t migrated yet, contrarily you could be one of the 200,000 online sellers who are at risk.
Web aegis account provider DefenseCode detected a limited cipher beheading (RCE) bug affiliated to a affection in the Magento 2 software which allows administrators to add videos that are hosted on Vimeo.
That could serve as an aperture for hackers to admission a Magento user’s database, including arcane information, and even install malware.
All they accept to do is allurement a user to download a URL which contains a.htaccess book and a PHP file. Once they accept accomplished that, they can calmly dispense the user’s arrangement from a limited server.
“During the aegis analysis of Magento Community Edition, a top accident vulnerability was apparent that could advance to limited cipher beheading and appropriately the complete arrangement accommodation including the database absolute acute chump advice such as stored acclaim agenda numbers and added transaction information,” DefenseCode said in their advisory.
They added that the afflicted versions of the Magento Community Edition software cover v.2.1.6 and below.
Reassurance from Magento
Though they haven’t heard of any absolute attacks yet, Magento reassured their barter that they are already searching into the matter.
Also, the aggregation has recommended accessible accomplish that will ensure the affirmation of their customers’ data.
“We accept been actively investigating the basis could cause of the appear affair and are not acquainted of any attacks in the wild. We will be acclamation the affair in our next application absolution and abide to consistently plan to advance our affirmation processes,” they said.
To assure their users from accessible aegis attacks, Magento beatific out an email which includes the accomplish to switching on the “Add Secret Key to URLs” option.
Think your Magento 2 arrangement is at risk? Follow these steps:
- Log on to Merchant Site Admin URL (e.g., your domain.com/admin)
- Click on Stores > Configuration > ADVANCED > Admin > Security > Add Secret Key to URLs
- Select YES from the dropdown options
- Click on Save Config
We may accept articulate like a torn record, cogent you again that Magento 2 is still not ready, but we’re so animated that we did.