Security researchers from Securatary have identified a cross-store privilege escalation vulnerability in Magento (gostorego.com) that could have been exploited to create administrative users on any of the 200,000 active stores.
The issue was reported to eBay, via the company’s bug bounty program, on February 9, 2014, and, on February 12, Securatary already confirmed that the vulnerability was patched.
According to the detailed report published by experts, an attack against *gostorego.com stores could have been automated to create an administrative account on each of them.
Securatary has also found an attack method which it has dubbed “stealth mode.” In a “regular” attack, the cybercriminals could have used the administrative accounts they’ve created to perform various operations.
However, in stealth mode, the attackers could add store credit, add gift cards, change prices and view customer information by impersonating the store owner. This way, the unauthorized actions don’t raise any suspicion.