When looking for new websites to target, a typical hacker will try to find sites which will require as little effort as possible for them to breach. Ideally they are looking for sites that are running outdated versions of frameworks such as Magento and WordPress, which may be missing critical security patches. Once they have identified a site like this they can usually use a pre-made exploit instead of having to craft their own code to gain access to the server.
In order to find websites with outdated frameworks and missing patches, hackers will often run mass internet scanners which scan millions of sites looking for indicators that will help them to identify what, if any, frameworks the site is using.
For Magento websites, one common way used to be by pulling down the RELEASE_NOTES.txt file stored on the root of a Magento installation and checking the first line for the version information. Fortunately, on modern Magento installations access to the RELEASE_NOTES.txt file is blocked by default, making it more difficult for an attacker or an automated scanner to figure out what version of Magento a site is running.
There are a number of other methods an attacker may use to identify a Magento version, but almost all of these are unreliable and often fail to identify a version at all.
Recently, Foregenix has discovered that by leveraging a Facebook extension, hackers can easily collate the type of data needed to catalog websites running certain versions of Magento .
The only fool proof way to learn the Magento version is to call the Mage::getVersion() function in the PHP source code. There is no URL you can visit on a modern Magento site which will present the output of this function to the client, unless they are logged into the Administrator interface. Unfortunately, the Facebook Ads Extension changes this by embedding a websites exact version number into the source of almost every page on the site. It does this when inserting a small JavaScript responsible for calling back to Facebook so that they can track page views and visitor behaviour.
The developers of the extension decided to include the version of Magento in every request, presumably so that it can be used for their own analytics. The snippet below shows an example of the JavaScript inserted by the extension:
<script>
!function(f,b,e,v,n,t,s){if(f.fbq)return;n=f.fbq=function(){n.callMethod?
n.callMethod.apply(n,arguments):n.queue.push(arguments)};if(!f._fbq)f._fbq=n;
n.push=n;n.loaded=!0;n.version='2.0';n.queue=[];t=b.createElement(e);t.async=!0;
t.src=v;s=b.getElementsByTagName(e)[0];s.parentNode.insertBefore(t,s)}(window,
document,'script','//connect.facebook.net/en_US/fbevents.js');
fbq('init', 'XXXXXXXXXXXXXXX', {}, {agent: 'exmagento-1.7.0.2-2.3.4' });
fbq('track', 'PageView', {
source: 'magento',
version: "1.7.0.2",
pluginVersion: "2.3.4"
});
</script>
As you can see, both the exact version of Magento and of the plugin are used to generate an agent string and as arguments to the PageView tracker. It is a trivial exercise for an attacker to create a tool which can extract this information from websites automatically. In this case, the attacker would see that the website is running Magento 1.7.0.2 and may decide to investigate this site further since the 1.7 branch of Magento is fairly outdated, with the current 1.x branch being Magento 1.9.
The net result is that installing and using this extension could very well end up making you an attractive target for hackers looking to steal customer card data or other sensitive information. As such you should consider the security implications carefully before deciding to use this extension.
Finding and reporting vulnerabilities is all part and parcel of our role in the industry. We've recently uncovered a zero-day vulnerability in the NfSen/AlienVault OSSIM which you can read more about here. In the mean time, if you're concerned that your website may be running out of date software, or even harbouring malware, check out our free web scanner!