logo.png
WEBSITE SECURITY HEALTH CHECK

Foregenix Blog

Facebook Ads Extension for Magento Leaking Magento Version

When looking for new websites to target, a typical hacker will try to find sites which will require as little effort as possible for them to breach. Ideally they are looking for sites that are running outdated versions of frameworks such as Magento and WordPress, which may be missing critical security patches. Once they have identified a site like this they can usually use a pre-made exploit instead of having to craft their own code to gain access to the server.

In order to find websites with outdated frameworks and missing patches, hackers will often run mass internet scanners which scan millions of sites looking for indicators that will help them to identify what, if any, frameworks the site is using.

For Magento websites, one common way used to be by pulling down the RELEASE_NOTES.txt file stored on the root of a Magento installation and checking the first line for the version information. Fortunately, on modern Magento installations access to the RELEASE_NOTES.txt file is blocked by default, making it more difficult for an attacker or an automated scanner to figure out what version of Magento a site is running.

There are a number of other methods an attacker may use to identify a Magento version, but almost all of these are unreliable and often fail to identify a version at all.

Recently, Foregenix has discovered that by leveraging a Facebook extension, hackers can easily collate the type of data needed to catalog websites running certain versions of Magento .

The only fool proof way to learn the Magento version is to call the Mage::getVersion() function in the PHP source code. There is no URL you can visit on a modern Magento site which will present the output of this function to the client, unless they are logged into the Administrator interface. Unfortunately, the Facebook Ads Extension changes this by embedding a websites exact version number into the source of almost every page on the site. It does this when inserting a small JavaScript responsible for calling back to Facebook so that they can track page views and visitor behaviour.

The developers of the extension decided to include the version of Magento in every request, presumably so that it can be used for their own analytics. The snippet below shows an example of the JavaScript inserted by the extension:

<script>

!function(f,b,e,v,n,t,s){if(f.fbq)return;n=f.fbq=function(){n.callMethod?

n.callMethod.apply(n,arguments):n.queue.push(arguments)};if(!f._fbq)f._fbq=n;

n.push=n;n.loaded=!0;n.version='2.0';n.queue=[];t=b.createElement(e);t.async=!0;

t.src=v;s=b.getElementsByTagName(e)[0];s.parentNode.insertBefore(t,s)}(window,

document,'script','//connect.facebook.net/en_US/fbevents.js');

fbq('init', 'XXXXXXXXXXXXXXX', {}, {agent: 'exmagento-1.7.0.2-2.3.4' });

fbq('track', 'PageView', {

  source: 'magento',

  version: "1.7.0.2",

  pluginVersion: "2.3.4"

});

</script>

 

As you can see, both the exact version of Magento and of the plugin are used to generate an agent string and as arguments to the PageView tracker. It is a trivial exercise for an attacker to create a tool which can extract this information from websites automatically. In this case, the attacker would see that the website is running Magento 1.7.0.2 and may decide to investigate this site further since the 1.7 branch of Magento is fairly outdated, with the current 1.x branch being Magento 1.9.

The net result is that installing and using this extension could very well end up making you an attractive target for hackers looking to steal customer card data or other sensitive information. As such you should consider the security implications carefully before deciding to use this extension.

Finding and reporting vulnerabilities is all part and parcel of our role in the industry. We've recently uncovered a zero-day vulnerability in the NfSen/AlienVault OSSIM which you can read more about here. In the mean time, if you're concerned that your website may be running out of date software, or even harbouring malware, check out our free web scanner!

Free Webscan

TRENDING POSTS

David Kirkpatrick
Penetration Testing: The Quest For Fully UnDetectable Malware

Malware continues to be one of the main attack vectors used by criminals to compromise user and ...

Read More
Kirsty Trainer
"Key" to Secure Data - P2PE - Derived Unique Key Per Transaction (DUKPT)

Written by Andrew McKenna, PCI QSA, PCIP at Foregenix The encryption key infrastructure usually ...

Read More

Cyber Security Insights

Jake Dennys
10/08/18 09:17

Foregenix Launch New Webscan Service!

Recently our security experts have been busy overhauling our free external scanning tool. Having done some fine tuning, added a plethora of new ...

Read More

Jake Dennys
09/08/18 11:49

P2PE: How, what and why – The PCI SSC Latin America Forum.

We’re excited to be showcasing a Point-to-Point-Encryption led presentation at the PCI SSC Latin America Forum on August 15th. As industry leaders ...

Read More

Jake Dennys
16/07/18 11:38

Stronger and more frequent Brute Force Attacks are now the norm

Brute force attacks have plagued the internet for years. It’s a fairly simple concept; attempt every combination of words/numbers until the right one ...

Read More

Jake Dennys
11/07/18 10:31

Foregenix Place #4 In The Growth 100!

It’s been an exciting year for us, awarded consultancy practice of the year and best tech security; then named in the Sunday Times Export Track 100 ...

Read More

Jake Dennys
09/07/18 09:47

Digital Forensics in the Asia-Pacific region

As a global cybersecurity company, we are constantly striving to provide a better service for our clients. We are happy to report that our Digital ...

Read More